Описание
User Impersonation in converse.js
Versions of converse.js prior to 1.0.7 for 1.x or 2.0.5 for 2.x are vulnerable to User Impersonation. The package provides an incorrect implementation of XEP-0280: Message Carbons that allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks.
Recommendation
If you're using converse.js 1.x, upgrade to 1.0.7 or later.
If you're using converse.js 2.x, upgrade to 2.0.5 or later.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2017-5858
- https://github.com/jcbrand/converse.js/commit/42f249cabbbf5c026398e6d3b350f6f9536ea572
- https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons
- https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf
- https://snyk.io/vuln/SNYK-JS-CONVERSEJS-449664
- https://www.npmjs.com/advisories/974
- https://www.openwall.com/lists/oss-security/2017/02/09/29
- http://openwall.com/lists/oss-security/2017/02/09/29
- http://www.securityfocus.com/bid/96183
Пакеты
converse.js
< 1.0.7
1.0.7
converse.js
>= 2.0.0, < 2.0.5
2.0.5
Связанные уязвимости
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Converse.js (0.8.0 - 1.0.6, 2.0.0 - 2.0.4).