CVE-2017-5602
MEDIUMjappix 1.0.0-1.1.6 - Remote User Impersonation via XEP-0280 Message Carbons
Title source: llmDescription
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for jappix 1.0.0 to 1.1.6.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/96176
Exploit, Mailing List, Third Party Advisory x_refsource_misc
http://openwall.com/lists/oss-security/2017/02/09/29
Patch x_refsource_misc
https://github.com/jappix/jappix/commit/ea6de7c65b80880bdf85df47c1a8a5d3d68491af
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf
Scores
CVSS v3
5.9
EPSS
0.0068
EPSS Percentile
47.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-20
CWE-346
Status
published
Products (15)
jappix_project/jappix
1.0.0
jappix_project/jappix
1.0.1
jappix_project/jappix
1.0.2
jappix_project/jappix
1.0.3
jappix_project/jappix
1.0.4
jappix_project/jappix
1.0.5
jappix_project/jappix
1.0.6
jappix_project/jappix
1.0.7
jappix_project/jappix
1.1.0
jappix_project/jappix
1.1.1
... and 5 more
Published
Feb 09, 2017
Tracked Since
Feb 18, 2026