PT-2020-8059 · Mcabber+2 · Mcabber+2

Martin Prpič

·

Published

2016-12-30

·

Updated

2022-01-01

·

CVE-2016-9928

CVSS v3.1

7.4

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions: MCabber versions prior to 1.0.4
Description: The issue allows remote attackers to intercept communications or add themselves as an entity on a third party's roster as another user, garnering associated privileges, via crafted XMPP packets. This is achieved through roster push attacks.
Recommendations: For versions prior to 1.0.4, update to version 1.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to roster management functions until a patch is applied. Avoid using crafted XMPP packets in the affected API endpoints until the issue is resolved.

Exploit

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-269

Related Identifiers

ALT-PU-2017-1350
CVE-2016-9928
DLA-2260-1
DLA-724-1
MGASA-2016-0433
OPENSUSE-SU-2024:10979-1
USN-4506-1

Affected Products

Alt Linux
Mcabber
Ubuntu