security-advisories@github.com reports:
+++ +Openfire's administrative console, a web-based + application, was found to be vulnerable to a path traversal attack + via the setup environment. This permitted an unauthenticated user + to use the unauthenticated Openfire Setup Environment in an already + configured Openfire environment to access restricted pages in the + Openfire Admin Console reserved for administrative users. This + vulnerability affects all versions of Openfire that have been + released since April 2015, starting with version 3.10.0. The problem + has been patched in Openfire release 4.7.5 and 4.6.8, and further + improvements will be included in the yet-to-be released first version + on the 4.8 branch (which is expected to be version 4.8.0). Users + are advised to upgrade. If an Openfire upgrade isnt available for + a specific release, or isnt quickly actionable, users may see the + linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
+