Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jMzVnLWpyNWYtaDgzcM4AAQt2

SleekXMPP and Slixmpp Incorrect Implementation of Message Carbons

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and Slixmpp all versions up to 1.2.3, as bundled in poezio (0.8 - 0.10) and other products.

Permalink: https://github.com/advisories/GHSA-c35g-jr5f-h83p
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jMzVnLWpyNWYtaDgzcM4AAQt2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 8 months ago

CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-c35g-jr5f-h83p, CVE-2017-5591
References:

Repository: https://github.com/poezio/slixmpp
Blast Radius: 17.0

Affected Packages

pypi:SleekXMPP

Dependent packages: 7
Dependent repositories: 395
Downloads: 3,905 last month
Affected Version Ranges: <= 1.3.1
Fixed in: 1.3.2
All affected versions: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.3.1
All unaffected versions: 1.3.2, 1.3.3

pypi:slixmpp

Dependent packages: 14
Dependent repositories: 770
Downloads: 18,497 last month
Affected Version Ranges: <= 1.2.3
Fixed in: 1.2.4
All affected versions: 1.2.1, 1.2.2, 1.2.3
All unaffected versions: 1.2.4, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5