Versions of converse.js
prior to 1.0.7 for 1.x or 2.0.5 for 2.x are vulnerable to User Impersonation. The package provides an incorrect implementation of XEP-0280: Message Carbons that allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks.
If you’re using converse.js
1.x, upgrade to 1.0.7 or later.
If you’re using converse.js
2.x, upgrade to 2.0.5 or later.
openwall.com/lists/oss-security/2017/02/09/29
www.securityfocus.com/bid/96183
github.com/jcbrand/converse.js
github.com/jcbrand/converse.js/commit/42f249cabbbf5c026398e6d3b350f6f9536ea572
nvd.nist.gov/vuln/detail/CVE-2017-5858
rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons
rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf
snyk.io/vuln/SNYK-JS-CONVERSEJS-449664
www.npmjs.com/advisories/974
www.openwall.com/lists/oss-security/2017/02/09/29