Georg Lukas

**Name of the Vulnerable Software and Affected Versions** yaxim and Bruno versions 0.8.6 through 0.8.8 SleekXMPP versions up to 1.3.1 Slixmpp versions up to 1.2.3 poezio versions 0.8 through 0.10 Movim versions 0.8 through 0.10 converse.js versions prior to 1.0.7 for 1.x or 2.0.5 for 2.x **Description** An incorrect implementation of XEP-0280: Message Carbons in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. **Recommendations** For yaxim and Bruno versions 0.8.6 through 0.8.8, upgrade to a version outside of this range. For SleekXMPP versions up to 1.3.1, upgrade to version 1.3.2 or later. For Slixmpp versions up to 1.2.3, upgrade to version 1.2.4 or later. For poezio versions 0.8 through 0.10, upgrade to version 0.11 or later. For Movim versions 0.8 through 0.10, upgrade to version 0.11 or later. For converse.js 1.x, upgrade to 1.0.7 or later. For converse.js 2.x, upgrade to 2.0.5 or later.

**Name of the Vulnerable Software and Affected Versions** ChatSecure versions 3.2.0 through 4.0.0 Zom versions prior to 1.0.11 **Description** The issue is related to an incorrect implementation of XEP-0280: Message Carbons in multiple XMPP clients. This allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display, enabling various kinds of social engineering attacks. **Recommendations** For ChatSecure versions 3.2.0 through 4.0.0, update to a version outside of this range to resolve the issue. For Zom versions prior to 1.0.11, update to version 1.0.11 or later to fix the problem.

**Name of the Vulnerable Software and Affected Versions** Jitsi versions 2.5.5061 through 2.9.5544 **Description** The issue is related to an incorrect implementation of XEP-0280: Message Carbons in multiple XMPP clients, allowing a remote attacker to impersonate any user in the vulnerable application's display. This can lead to various kinds of social engineering attacks. **Recommendations** For Jitsi versions 2.5.5061 through 2.9.5544, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** mcabber versions 1.0.0 through 1.0.4 **Description** The issue is related to an incorrect implementation of XEP-0280: Message Carbons in multiple XMPP clients, allowing a remote attacker to impersonate any user in the vulnerable application's display. This enables various kinds of social engineering attacks. **Recommendations** For mcabber versions 1.0.0 through 1.0.4, update to a version that correctly implements XEP-0280: Message Carbons to prevent impersonation attacks.