CVE-2020-26547
CRITICALMonal < 4.9 - Message Spoofing via MAM and Message Carbon Results
Title source: llmDescription
Monal before 4.9 does not implement proper sender verification on MAM and Message Carbon (XEP-0280) results. This allows a remote attacker (able to send stanzas to a victim) to inject arbitrary messages into the local history, with full control over the sender and receiver displayed to the victim.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://github.com/anurodhp/Monal/commits/develop
Vendor Advisory x_refsource_confirm
https://monal.im/blog/cve-2020-26547/
Scores
CVSS v3
9.8
EPSS
0.0055
EPSS Percentile
41.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-345
Status
published
Products (1)
monal/monal
< 4.9
Published
Feb 01, 2021
Tracked Since
Feb 18, 2026