Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tdjRoLXFtMjQteDRnaM4AAWnW
Converse.js Exposure of Sensitive Information
Converse.js and Inverse.js through 3.3 allow remote attackers to obtain sensitive information because it is too difficult to determine whether safe publication of private data was configured or even intended. For example, users might have an expectation that chatroom bookmarks are private, but the various interacting software components do not necessarily make that happen.
Permalink: https://github.com/advisories/GHSA-mv4h-qm24-x4ghJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tdjRoLXFtMjQteDRnaM4AAWnW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 7 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-mv4h-qm24-x4gh, CVE-2018-6591
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-6591
- https://gultsch.de/converse_bookmarks.html
- https://github.com/conversejs/converse.js/commit/ba09996998df38a5eb76903457fbb1077caabe25
- https://github.com/advisories/GHSA-mv4h-qm24-x4gh
Blast Radius: 8.6
Affected Packages
npm:converse.js
Dependent packages: 4Dependent repositories: 7
Downloads: 852 last month
Affected Version Ranges: < 3.3.3
Fixed in: 3.3.3
All affected versions: 1.0.0, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2
All unaffected versions: 3.3.3, 3.3.4, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.5, 6.0.1, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 8.0.0, 8.0.1, 9.0.0, 9.1.0, 9.1.1, 10.0.0, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5, 10.1.6, 10.1.7
packagist:jcbrand/converse.js
Dependent packages: 0Dependent repositories: 6
Downloads: 156,315 total
Affected Version Ranges: < 3.3.3
Fixed in: 3.3.3
All affected versions: 2.0.5, 2.0.6, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2
All unaffected versions: 3.3.3, 3.3.4, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 6.0.0, 6.0.1, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 8.0.0, 8.0.1, 9.0.0, 9.1.0, 9.1.1, 10.0.0, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5, 10.1.6, 10.1.7