An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Converse.js (0.8.0 - 1.0.6, 2.0.0 - 2.0.4).

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N
Vendors Products
Conversejs
  • Converse.js

Configuration 1 [-]

OR cpe:2.3:a:conversejs:converse.js:0.8.0:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:0.8.1:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:0.8.2:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:0.8.3:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:0.8.4:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:0.8.5:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:0.8.6:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:0.9.0:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:0.9.2:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:0.9.3:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:0.9.4:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:0.9.5:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:0.9.6:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:0.10.0:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:0.10.1:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:1.0.3:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:1.0.4:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:1.0.6:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:conversejs:converse.js:2.0.4:*:*:*:*:*:*:*
References
Link Resource
http://openwall.com/lists/oss-security/2017/02/09/29 Exploit Mailing List Third Party Advisory
http://www.securityfocus.com/bid/96183
https://github.com/jcbrand/converse.js/commit/42f249cabbbf5c026398e6d3b350f6f9536ea572 Patch
https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/ Exploit Technical Description Third Party Advisory
https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf Exploit Technical Description Third Party Advisory
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-02-09T20:00:00

Updated: 2017-02-28T10:57:01

Reserved: 2017-02-02T00:00:00

Link: CVE-2017-5858

JSON object: View

cve-icon NVD Information

Status : Modified

Published: 2017-02-09T20:59:00.577

Modified: 2017-03-01T02:59:06.043

Link: CVE-2017-5858

JSON object: View

cve-icon Redhat Information

No data.

CWE