CVE-2017-5604 — Improper Input Validation in Mcabber

CWE-20 — Improper Input Validation CWE-346 — Origin Validation Error4 documents4 sources

Severity

5.9MEDIUMNVD

EPSS

0.3%

top 51.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mcabber Debian Mcabber

Timeline

PublishedFeb 9

Latest updateMay 17

Description

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for mcabber 1.0.0 - 1.0.4.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/mcabber< mcabber 1.0.4-1.1 (bookworm)

▶Debianmcabber/mcabber< 1.0.4-1.1+3

▶NVDmcabber/mcabber5 versions+4

Patches

Patch: mcabber.com ↗Patch: mcabber.com ↗

🔴Vulnerability Details

GHSA

GHSA-wxww-rqxx-jpg4: An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contac↗2022-05-17

▶

OSV

CVE-2017-5604: An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contac↗2017-02-09

▶

📋Vendor Advisories

Debian

CVE-2017-5604: mcabber - An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clie...↗2017

▶