Information Exposure

Affecting converse.js package, versions <3.3.3

Do your applications use this vulnerable package? Test your applications

Overview

converse.jsis a web based XMPP/Jabber instant messaging client.

Affected versions of this package are vulnerable to Information Exposure. It allows remote attackers to obtain sensitive information because it is too difficult to determine whether safe publication of private data was configured or even intended. For example, users might have an expectation that chatroom bookmarks are private, but the various interacting software components do not necessarily make that happen.

Remediation

Upgrade converse.js to version 3.3.3 or higher.

References

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Credit
Unknown
CVE
CVE-2018-6591
CWE
CWE-200
Snyk ID
npm:converse.js:20180208
Disclosed
08 Feb, 2018
Published
22 Feb, 2018