VDB
CVE-2017-5591
CVE-2017-5591
PUBLISHED
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and Slixmpp all versions up to 1.2.3, as bundled in poezio (0.8 - 0.10) and other products.
EPSS 0.41% · 61.4th percentile
Risk Scores
EPSS Score
0.41%
61.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | sleekxmpp | 0, 1.0~beta5-2, 1.3.1-1 |
Exploit Intelligence
- http://openwall.com/lists/oss-security/2017/02/09/29 (nist-nvd)
- https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/ (nist-nvd)
- https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf (nist-nvd)
- 96166 (circl)
- https://github.com/poezio/slixmpp/commit/22664ee7b86c8e010f312b66d12590fb47160ad8 (circl)
- XMPP Clients User Impersonation Vulnerability (0day-today)
- XMPP Clients User Impersonation Vulnerability (0day-today)
Timeline
- Feb 9, 2017 CVE Published
- Feb 10, 2017 PoC Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2017-5591 third-party-advisory
- http://openwall.com/lists/oss-security/2017/02/09/29 third-party-advisory
- https://github.com/poezio/slixmpp/commit/22664ee7b86c8e010f312b66d12590fb47160ad8 third-party-advisory
- https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/ third-party-advisory
- https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2017-5591 third-party-advisory