CVE-2016-9928 — Improper Privilege Management in Mcabber

CWE-269 — Improper Privilege Management8 documents6 sources

Severity

7.4HIGHNVD

EPSS

4.5%

top 10.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mcabber Debian Mcabber Canonical Ubuntu Linux +1 more

Timeline

PublishedFeb 6

Latest updateMay 24

Description

MCabber before 1.0.4 is vulnerable to roster push attacks, which allows remote attackers to intercept communications, or add themselves as an entity on a 3rd party's roster as another user, which will also garner associated privileges, via crafted XMPP packets.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages5 packages

▶debiandebian/mcabber< mcabber 0.10.2-1.1 (bookworm)

▶NVDmcabber/mcabber1.0.0 — 1.0.4

▶Debianmcabber/mcabber< 0.10.2-1.1+3

▶Ubuntumcabber/mcabber< 0.10.2-1+deb8u1build0.16.04.1

▶CVEListV5mcabber/mcabberbefore 1.0.4

Also affects: Debian Linux 8.0, Ubuntu Linux 16.04

Patches

Patch: bitbucket.org ↗Patch: bitbucket.org ↗

🔴Vulnerability Details

GHSA

GHSA-q477-8j82-fjq4: MCabber before 1↗2022-05-24

▶

OSV

mcabber vulnerability↗2020-09-16

▶

OSV

CVE-2016-9928: MCabber before 1↗2020-02-06

▶

📋Vendor Advisories

Ubuntu

MCabber vulnerability↗2020-09-16

▶

Debian

CVE-2016-9928: mcabber - MCabber before 1.0.4 is vulnerable to roster push attacks, which allows remote a...↗2016

▶

💬Community

Bugzilla

CVE-2016-9928 mcabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza↗2016-12-12

▶

Bugzilla

CVE-2016-9928 mcabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza [fedora-all]↗2016-12-12

▶