User Impersonation

Affecting converse.js package, versions <1.0.7 || >=2.0.0 <2.0.5

Do your applications use this vulnerable package? Test your applications

Overview

converse.js is a web based XMPP/Jabber chat client.

Affected versions of this package are vulnerable to User Impersonation. An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks.

Remediation

Upgrade converse.js to version 1.0.7, 2.0.5 or higher.

References

CVSS Score

5.9
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    High
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Credit
Unknown
CVE
CVE-2017-5858
CWE
CWE-20 CWE-346
Snyk ID
SNYK-JS-CONVERSEJS-449664
Disclosed
02 Sep, 2017
Published
12 Jun, 2019