CVE-2017-5591

MEDIUM

SleekXMPP < 1.3.1 and Slixmpp < 1.2.3 - Remote User Impersonation via XEP-0280 Message Carbons

Title source: llm

Description

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and Slixmpp all versions up to 1.2.3, as bundled in poezio (0.8 - 0.10) and other products.

References (5)

Core 5

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/96166

Exploit, Mailing List, Third Party Advisory x_refsource_misc

http://openwall.com/lists/oss-security/2017/02/09/29

Exploit, Technical Description, Third Party Advisory x_refsource_misc

https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/

Exploit, Technical Description, Third Party Advisory x_refsource_misc

https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf

Patch x_refsource_misc

https://github.com/poezio/slixmpp/commit/22664ee7b86c8e010f312b66d12590fb47160ad8

View Patch ZIP pw:eip

Scores

CVSS v3 5.9

EPSS 0.0126

EPSS Percentile 65.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-20 CWE-346

Status published

Products (8)

poezio/poezio 0.8

poezio/poezio 0.8.1

poezio/poezio 0.9

poezio/poezio 0.10

pypi/SleekXMPP 0 - 1.3.2PyPI

pypi/slixmpp 0 - 1.2.4PyPI

sleekxmpp_project/sleekxmpp < 1.3.1

slixmpp_project/slixmpp < 1.2.3

Published Feb 09, 2017

Tracked Since Feb 18, 2026