Full disclosure is available on the security mailing list (2016.07.22 Rick Radewagen).
PR merged.
Submitted https://github.com/igniterealtime/Openfire/pull/620
Update https://community.igniterealtime.org/docs/DOC-1842 after fixing or when CVE is released.
Full disclosure is available on the security mailing list (2016.07.22 Rick Radewagen).