PT-2017-16717 · Converse · Converse.Js
Published
2017-02-09
·
Updated
2020-09-11
·
CVE-2017-5858
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
converse.js versions 0.8.0 through 1.0.6
converse.js versions 2.0.0 through 2.0.4
Description
The issue is related to an incorrect implementation of XEP-0280: Message Carbons in multiple XMPP clients, allowing a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This enables various kinds of social engineering attacks.
Recommendations
If you're using converse.js 1.x, upgrade to 1.0.7 or later.
If you're using converse.js 2.x, upgrade to 2.0.5 or later.
Exploit
Fix
Origin Validation Error
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Converse.Js