Vulnerability Description
The XMPP protocol plugin in libpurple in Pidgin before 2.10.8 does not properly determine whether the from address in an iq reply is consistent with the to address in an iq request, which allows remote attackers to spoof iq traffic or cause a denial of service (NULL pointer dereference and application crash) via a crafted reply.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pidgin | Pidgin | <= 2.10.7 |
Related Weaknesses (CWE)
References
- http://hg.pidgin.im/pidgin/main/rev/93d4bff19574
- http://lists.opensuse.org/opensuse-updates/2014-02/msg00039.html
- http://lists.opensuse.org/opensuse-updates/2014-03/msg00005.html
- http://pidgin.im/news/security/?id=78Vendor Advisory
- http://www.debian.org/security/2014/dsa-2859
- http://www.ubuntu.com/usn/USN-2100-1
- https://rhn.redhat.com/errata/RHSA-2014-0139.html
- http://hg.pidgin.im/pidgin/main/rev/93d4bff19574
- http://lists.opensuse.org/opensuse-updates/2014-02/msg00039.html
- http://lists.opensuse.org/opensuse-updates/2014-03/msg00005.html
- http://pidgin.im/news/security/?id=78Vendor Advisory
- http://www.debian.org/security/2014/dsa-2859
- http://www.ubuntu.com/usn/USN-2100-1
- https://rhn.redhat.com/errata/RHSA-2014-0139.html
FAQ
What is CVE-2013-6483?
CVE-2013-6483 is a vulnerability with a CVSS score of 6.4 (MEDIUM). The XMPP protocol plugin in libpurple in Pidgin before 2.10.8 does not properly determine whether the from address in an iq reply is consistent with the to address in an iq request, which allows remot...
How severe is CVE-2013-6483?
CVE-2013-6483 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-6483?
Check the references section above for vendor advisories and patch information. Affected products include: Pidgin Pidgin.