An incorrect implementation of “XEP-0280: Message Carbons” in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks. This CVE is for yaxim and Bruno (0.8.6 – 0.8.8; Android).
Monthly Archives: February 2017
CVE-2017-5858
An incorrect implementation of “XEP-0280: Message Carbons” in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks. This CVE is for Converse.js (0.8.0 – 1.0.6, 2.0.0 – 2.0.4).
CVE-2017-5602
An incorrect implementation of “XEP-0280: Message Carbons” in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks. This CVE is for jappix 1.0.0 to 1.1.6.
CVE-2017-5605
An incorrect implementation of “XEP-0280: Message Carbons” in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks. This CVE is for Movim 0.8 – 0.10.
CVE-2017-5590
An incorrect implementation of “XEP-0280: Message Carbons” in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks. This CVE is for ChatSecure (3.2.0 – 4.0.0; only iOS) and Zom (all versions up to 1.0.11; only iOS).
CVE-2017-5604
An incorrect implementation of “XEP-0280: Message Carbons” in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks. This CVE is for mcabber 1.0.0 – 1.0.4.
CVE-2017-5603
An incorrect implementation of “XEP-0280: Message Carbons” in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks. This CVE is for Jitsi 2.5.5061 – 2.9.5544.
CVE-2017-5606
An incorrect implementation of “XEP-0280: Message Carbons” in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks. This CVE is for Xabber (only if manually enabled: 1.0.30, 1.0.30 VIP, beta 1.0.3 – 1.0.74; Android).
Ubuntu Security Notice USN-3187-2
Ubuntu Security Notice 3187-2 – Andrey Konovalov discovered that the SCTP implementation in the Linux kernel improperly handled validation of incoming data. A remote attacker could use this to cause a denial of service. It was discovered that multiple memory leaks existed in the XFS implementation in the Linux kernel. A local attacker could use this to cause a denial of service.
Android android.util.MemoryIntArray Inter-Process munmap
Android suffers from an inter-process munmap in android.util.MemoryIntArray vulnerability.