Lucene search

K

GoogleOSV:GHSA-W973-2QCC-P78X

HistorySep 11, 2020 - 9:19 p.m.

User Impersonation in converse.js

2020-09-1121:19:09

Google

osv.dev

6

converse.js

user impersonation

xep-0280

message carbons

upgrade

EPSS

0.004

Percentile

73.1%

Versions of converse.js prior to 1.0.7 for 1.x or 2.0.5 for 2.x are vulnerable to User Impersonation. The package provides an incorrect implementation of XEP-0280: Message Carbons that allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks.

Recommendation

If you’re using converse.js 1.x, upgrade to 1.0.7 or later.
If you’re using converse.js 2.x, upgrade to 2.0.5 or later.

References

openwall.com/lists/oss-security/2017/02/09/29

www.securityfocus.com/bid/96183

github.com/jcbrand/converse.js

github.com/jcbrand/converse.js/commit/42f249cabbbf5c026398e6d3b350f6f9536ea572

nvd.nist.gov/vuln/detail/CVE-2017-5858

rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons

rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf

snyk.io/vuln/SNYK-JS-CONVERSEJS-449664

www.npmjs.com/advisories/974

www.openwall.com/lists/oss-security/2017/02/09/29

EPSS

0.004

Percentile

73.1%

Related for OSV:GHSA-W973-2QCC-P78X

cvelist2 veracode1 prion2 nodejs1 github1 nvd2 osv13 nessus1 cve2 archlinux1 zdt1