CVE-2020-26547

Name of the Vulnerable Software and Affected Versions: Monal versions prior to 4.9

Description: The issue allows a remote attacker, who can send stanzas to a victim, to inject arbitrary messages into the local history. This gives the attacker full control over the sender and receiver displayed to the victim. The problem arises from the lack of proper sender verification on MAM and Message Carbon (XEP-0280) results.

Recommendations: For versions prior to 4.9, update to version 4.9 or later to resolve the issue. As a temporary workaround, consider restricting access to MAM and Message Carbon (XEP-0280) results until the update is applied.