5.9
CVE-2017-5590
- EPSS 0.73%
- Veröffentlicht 09.02.2017 20:59:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginAn incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for ChatSecure (3.2.0 - 4.0.0; only iOS) and Zom (all versions up to 1.0.11; only iOS).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Chatsecure ≫ Chatsecure Version3.2.0 SwPlatformiphone_os
Chatsecure ≫ Chatsecure Version3.2.1 SwPlatformiphone_os
Chatsecure ≫ Chatsecure Version3.2.2 SwPlatformiphone_os
Chatsecure ≫ Chatsecure Version3.2.3 SwPlatformiphone_os
Chatsecure ≫ Chatsecure Version4.0.0 SwPlatformiphone_os
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.73% | 0.494 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.9 | 2.2 | 3.6 |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-346 Origin Validation Error
The product does not properly verify that the source of data or communication is valid.
http://openwall.com/lists/oss-security/2017/02/09/29
https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/
https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf
http://www.securityfocus.com/bid/96165
https://github.com/ChatSecure/ChatSecure-iOS/commit/a340b4bb519227d89f85f2716a10a197a65d4856
https://github.com/zom/Zom-iOS/commit/880051eaa8ba32d1b257c87a7d8798a93561bfd3