Vulnerability detail

Enriched intelligence for a single CVE

5.3

CVSS
Medium

CVE-2019-18393

PUBLISHED

PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory,...

Exploited in the wild Remote Low complexity No user interaction

Vendor: Ignite Realtime
Product: Openfire
Published: Oct 24, 2019
EPSS: —

Automate this intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability.

nuclei_scanner

CVSS scores

CVSS v3.1 5.3 Medium

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2.0 5.0 Medium

AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitation status

Exploited in the wild

Recorded 2025-07-27 00:00:00 UTC · The Shadowserver (via CIRCL)

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
The Shadowserver (via CIRCL) First	2025-07-27 00:00 UTC

Scanner integrations

Scanner	Reference	Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-18393.yaml	Apr 25, 2025

Timeline

CVE ID Reserved

2019-10-24 00:00 UTC
CVE Published to Public

2019-10-24 10:58 UTC
Detected by Nuclei

2025-04-25 00:00 UTC
Added to KEVIntel

2025-07-27 00:00 UTC