Vulnerability Description
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Xabber (only if manually enabled: 1.0.30, 1.0.30 VIP, beta 1.0.3 - 1.0.74; Android).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xabber | Xabber | <= 1.0.30 |
Related Weaknesses (CWE)
References
- http://openwall.com/lists/oss-security/2017/02/09/29ExploitMailing ListThird Party Advisory
- http://www.securityfocus.com/bid/96186Third Party AdvisoryVDB Entry
- https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/ExploitTechnical DescriptionThird Party Advisory
- https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdExploitTechnical DescriptionThird Party Advisory
- http://openwall.com/lists/oss-security/2017/02/09/29ExploitMailing ListThird Party Advisory
- http://www.securityfocus.com/bid/96186Third Party AdvisoryVDB Entry
- https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/ExploitTechnical DescriptionThird Party Advisory
- https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdExploitTechnical DescriptionThird Party Advisory
FAQ
What is CVE-2017-5606?
CVE-2017-5606 is a vulnerability with a CVSS score of 5.9 (MEDIUM). An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This ...
How severe is CVE-2017-5606?
CVE-2017-5606 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-5606?
Check the references section above for vendor advisories and patch information. Affected products include: Xabber Xabber.