Design/Logic Flaw

2017-02-0920:59:00

PRIOn knowledge base

www.prio-n.com

5.7 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.6%

JSON

An incorrect implementation of “XEP-0280: Message Carbons” in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks. This CVE is for yaxim and Bruno (0.8.6 - 0.8.8; Android).

CPENameOperatorVersion
brunoeq0.8.7
brunoeq0.8.8
brunoeq0.8.6
yaximeq0.8.6
yaximeq0.8.7
yaximeq0.8.8

Name	Operator	Version
bruno	eq	0.8.7
bruno	eq	0.8.8
bruno	eq	0.8.6
yaxim	eq	0.8.6
yaxim	eq	0.8.7
yaxim	eq	0.8.8

References

openwall.com/lists/oss-security/2017/02/09/29

www.securityfocus.com/bid/96170

github.com/ge0rg/yaxim/commit/65a38dc77545d9568732189e86089390f0ceaf9f

rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/

rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf