CVE-2017-5589

Name of the Vulnerable Software and Affected Versions yaxim and Bruno versions 0.8.6 through 0.8.8 SleekXMPP versions up to 1.3.1 Slixmpp versions up to 1.2.3 poezio versions 0.8 through 0.10 Movim versions 0.8 through 0.10 converse.js versions prior to 1.0.7 for 1.x or 2.0.5 for 2.x

Description An incorrect implementation of XEP-0280: Message Carbons in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks.

Recommendations For yaxim and Bruno versions 0.8.6 through 0.8.8, upgrade to a version outside of this range. For SleekXMPP versions up to 1.3.1, upgrade to version 1.3.2 or later. For Slixmpp versions up to 1.2.3, upgrade to version 1.2.4 or later. For poezio versions 0.8 through 0.10, upgrade to version 0.11 or later. For Movim versions 0.8 through 0.10, upgrade to version 0.11 or later. For converse.js 1.x, upgrade to 1.0.7 or later. For converse.js 2.x, upgrade to 2.0.5 or later.