CVE-2017-5606
MEDIUMXabber < 1.0.30 - Unauthenticated User Impersonation via XEP-0280 Message Carbons
Title source: llmDescription
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Xabber (only if manually enabled: 1.0.30, 1.0.30 VIP, beta 1.0.3 - 1.0.74; Android).
References (4)
Core 4
Core References
Exploit, Mailing List, Third Party Advisory x_refsource_misc
http://openwall.com/lists/oss-security/2017/02/09/29
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/96186
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf
Scores
CVSS v3
5.9
EPSS
0.0078
EPSS Percentile
51.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-20
CWE-346
Status
published
Products (1)
xabber/xabber
< 1.0.30 (2 CPE variants)
Published
Feb 09, 2017
Tracked Since
Feb 18, 2026