Lucene search

GitHub Advisory DatabaseGHSA-W973-2QCC-P78X

HistorySep 11, 2020 - 9:19 p.m.

User Impersonation in converse.js

2020-09-1121:19:09

CWE-20

CWE-346

GitHub Advisory Database

github.com

converse.js

user impersonation

xep-0280

vulnerable

upgrade

implementation

social engineering

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.004

Percentile

73.1%

JSON

Versions of converse.js prior to 1.0.7 for 1.x or 2.0.5 for 2.x are vulnerable to User Impersonation. The package provides an incorrect implementation of XEP-0280: Message Carbons that allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks.

Recommendation

If you’re using converse.js 1.x, upgrade to 1.0.7 or later.
If you’re using converse.js 2.x, upgrade to 2.0.5 or later.

Affected configurations

Vulners

Node

conversejsconverse.jsRange2.0.0–2.0.5

conversejsconverse.jsRange<1.0.7

VendorProductVersionCPE
conversejsconverse.js*cpe:2.3:a:conversejs:converse.js:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
conversejs	converse.js	*	cpe:2.3:a:conversejs:converse.js::::::::

References

openwall.com/lists/oss-security/2017/02/09/29

www.securityfocus.com/bid/96183

github.com/advisories/GHSA-w973-2qcc-p78x

github.com/jcbrand/converse.js/commit/42f249cabbbf5c026398e6d3b350f6f9536ea572

nvd.nist.gov/vuln/detail/CVE-2017-5858

rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/

rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf

snyk.io/vuln/SNYK-JS-CONVERSEJS-449664

www.npmjs.com/advisories/974

www.openwall.com/lists/oss-security/2017/02/09/29

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.004

Percentile

73.1%

JSON

Related for GHSA-W973-2QCC-P78X