CVE-2017-5606

Опубликовано: 09 фев. 2017

Источник: nvd

CVSS3: 5.9

CVSS2: 4.3

EPSS Низкий

Описание

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Xabber (only if manually enabled: 1.0.30, 1.0.30 VIP, beta 1.0.3 - 1.0.74; Android).

Ссылки

http://openwall.com/lists/oss-security/2017/02/09/29
Exploit
Mailing List
Third Party Advisory
http://www.securityfocus.com/bid/96186
Third Party Advisory
VDB Entry
https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/
Exploit
Technical Description
Third Party Advisory
https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf
Exploit
Technical Description
Third Party Advisory
http://openwall.com/lists/oss-security/2017/02/09/29
Exploit
Mailing List
Third Party Advisory
http://www.securityfocus.com/bid/96186
Third Party Advisory
VDB Entry
https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/
Exploit
Technical Description
Third Party Advisory
https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf
Exploit
Technical Description
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:xabber:xabber:*:*:*:*:-:android:*:*

Версия до 1.0.30 (включая)

cpe:2.3:a:xabber:xabber:*:*:*:*:vip:android:*:*

Версия до 1.0.30 (включая)

EPSS

Процентиль: 59%

0.00376

Низкий

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-20

Связанные уязвимости

GHSA-gchp-x69g-3q35