Lucene search

K

GoogleOSV:GHSA-C35G-JR5F-H83P

HistoryMay 13, 2022 - 1:28 a.m.

SleekXMPP and Slixmpp Incorrect Implementation of Message Carbons

2022-05-1301:28:46

Google

osv.dev

9

xmpp

message carbons

vulnerability

remote attack

impersonation

social engineering

sleekxmpp

slixmpp

poezio

EPSS

0.004

Percentile

73.1%

An incorrect implementation of “XEP-0280: Message Carbons” in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and Slixmpp all versions up to 1.2.3, as bundled in poezio (0.8 - 0.10) and other products.

References

openwall.com/lists/oss-security/2017/02/09/29

github.com/fritzy/SleekXMPP/commit/285495d5ee2427d93d961ceedcd1829383e5196d

github.com/fritzy/SleekXMPP/issues/442

github.com/poezio/slixmpp

github.com/poezio/slixmpp/commit/22664ee7b86c8e010f312b66d12590fb47160ad8

nvd.nist.gov/vuln/detail/CVE-2017-5591

rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons

rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf

web.archive.org/web/20200227192025/www.securityfocus.com/bid/96166

EPSS

0.004

Percentile

73.1%

Related for OSV:GHSA-C35G-JR5F-H83P

osv13 nessus4 ubuntucve1 nvd2 fedora3 cve2 debiancve1 cvelist2 openvas2 veracode1 prion2 github1 archlinux1 zdt1