Lucene search

GitHub Advisory DatabaseGHSA-C35G-JR5F-H83P

HistoryMay 13, 2022 - 1:28 a.m.

SleekXMPP and Slixmpp Incorrect Implementation of Message Carbons

2022-05-1301:28:46

CWE-940

GitHub Advisory Database

github.com

xep-0280 message carbons

remote attack

impersonation

social engineering

cve

sleekxmpp

slixmpp

poezio

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

65.4%

JSON

An incorrect implementation of “XEP-0280: Message Carbons” in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and Slixmpp all versions up to 1.2.3, as bundled in poezio (0.8 - 0.10) and other products.

Affected configurations

Vulners

Node

sleekxmpp_projectsleekxmppRange≤1.3.1

slixmpp_projectslixmppRange≤1.2.3

VendorProductVersionCPE
sleekxmpp_projectsleekxmpp*cpe:2.3:a:sleekxmpp_project:sleekxmpp:*:*:*:*:*:*:*:*
slixmpp_projectslixmpp*cpe:2.3:a:slixmpp_project:slixmpp:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sleekxmpp_project	sleekxmpp	*	cpe:2.3:a:sleekxmpp_project:sleekxmpp::::::::
slixmpp_project	slixmpp	*	cpe:2.3:a:slixmpp_project:slixmpp::::::::