CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
73.1%
Versions of converse.js
prior to 1.0.7 for 1.x or 2.0.5 for 2.x are vulnerable to User Impersonation. The package provides an incorrect implementation of XEP-0280: Message Carbons that allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks.
If you’re using converse.js
1.x, upgrade to 1.0.7 or later.
If you’re using converse.js
2.x, upgrade to 2.0.5 or later.
Vendor | Product | Version | CPE |
---|---|---|---|
conversejs | converse.js | * | cpe:2.3:a:conversejs:converse.js:*:*:*:*:*:*:*:* |
openwall.com/lists/oss-security/2017/02/09/29
www.securityfocus.com/bid/96183
github.com/advisories/GHSA-w973-2qcc-p78x
github.com/jcbrand/converse.js/commit/42f249cabbbf5c026398e6d3b350f6f9536ea572
nvd.nist.gov/vuln/detail/CVE-2017-5858
rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/
rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf
snyk.io/vuln/SNYK-JS-CONVERSEJS-449664
www.npmjs.com/advisories/974
www.openwall.com/lists/oss-security/2017/02/09/29
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
73.1%