converse.js is a web based XMPP/Jabber chat client.
Affected versions of this package are vulnerable to User Impersonation. An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks.
converse.js to version 1.0.7, 2.0.5 or higher.