GHSA-W973-2QCC-P78X

Vulnerability from github – Published: 2020-09-11 21:19 – Updated: 2021-09-28 16:56
VLAI?
Summary
User Impersonation in converse.js
Details

Versions of converse.js prior to 1.0.7 for 1.x or 2.0.5 for 2.x are vulnerable to User Impersonation. The package provides an incorrect implementation of XEP-0280: Message Carbons that allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks.

Recommendation

If you're using converse.js 1.x, upgrade to 1.0.7 or later. If you're using converse.js 2.x, upgrade to 2.0.5 or later.

Severity ?
5.9 (Medium)
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "converse.js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "converse.js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-5858"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-346"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:42:38Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Versions of `converse.js` prior to 1.0.7 for 1.x or 2.0.5 for 2.x are vulnerable to User Impersonation. The package provides an incorrect implementation of [XEP-0280: Message Carbons](https://xmpp.org/extensions/xep-0280.html) that allows a remote attacker to impersonate any user, including contacts, in the vulnerable application\u0027s display. This allows for various kinds of social engineering attacks.\n\n\n## Recommendation\n\nIf you\u0027re using `converse.js` 1.x, upgrade to 1.0.7 or later.\nIf you\u0027re using `converse.js` 2.x, upgrade to 2.0.5 or later.",
  "id": "GHSA-w973-2qcc-p78x",
  "modified": "2021-09-28T16:56:35Z",
  "published": "2020-09-11T21:19:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5858"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jcbrand/converse.js/commit/42f249cabbbf5c026398e6d3b350f6f9536ea572"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jcbrand/converse.js"
    },
    {
      "type": "WEB",
      "url": "https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons"
    },
    {
      "type": "WEB",
      "url": "https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-CONVERSEJS-449664"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/974"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2017/02/09/29"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2017/02/09/29"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96183"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "User Impersonation in converse.js"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.