{"id":"CVE-2017-5590","details":"An incorrect implementation of \"XEP-0280: Message Carbons\" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for ChatSecure (3.2.0 - 4.0.0; only iOS) and Zom (all versions up to 1.0.11; only iOS).","modified":"2026-04-11T03:11:41.379799Z","published":"2017-02-09T20:59:00.200Z","references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/96165"},{"type":"FIX","url":"https://github.com/ChatSecure/ChatSecure-iOS/commit/a340b4bb519227d89f85f2716a10a197a65d4856"},{"type":"FIX","url":"https://github.com/zom/Zom-iOS/commit/880051eaa8ba32d1b257c87a7d8798a93561bfd3"},{"type":"EVIDENCE","url":"https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/"},{"type":"EVIDENCE","url":"https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf"},{"type":"EVIDENCE","url":"http://openwall.com/lists/oss-security/2017/02/09/29"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/chatsecure/chatsecure-ios","events":[{"introduced":"0"},{"last_affected":"7407706221cb40cbd6c159383f84fe1c89acf9ba"},{"introduced":"0"},{"last_affected":"4b525941dc0eda4f3a1b9ad90a0c1273f420a76e"},{"introduced":"0"},{"last_affected":"5b8daea94239a1bc45e3f62529e737f213fdff42"},{"fixed":"a340b4bb519227d89f85f2716a10a197a65d4856"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.2.1"},{"introduced":"0"},{"last_affected":"3.2.2"},{"introduced":"0"},{"last_affected":"3.2.3"}]}},{"type":"GIT","repo":"https://github.com/zom/zom-ios-xmpp","events":[{"introduced":"0"},{"fixed":"880051eaa8ba32d1b257c87a7d8798a93561bfd3"}]}],"versions":["1.0.3-28-cure53","v1.0.2","v1.1","v1.2","v1.3","v1.4","v1.5","v1.5.1","v2.0","v2.0.1","v2.1","v2.2","v2.2.1","v3.2","v3.2.1","v3.2.2","v3.2.3","v4.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"3.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.0.11"}]}],"vanir_signatures":[{"id":"CVE-2017-5590-938e6ade","deprecated":false,"target":{"file":"ChatSecure/Classes/Controllers/XMPP/OTRXMPPMessageYapStroage.h"},"source":"https://github.com/chatsecure/chatsecure-ios/commit/a340b4bb519227d89f85f2716a10a197a65d4856","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["209646930666600076338162883704913539223","273743801690347581989655561691106847040","180914673249055266491887896319264413105","131330495340382908432222828795181426082"]}}],"vanir_signatures_modified":"2026-04-11T03:11:41Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-5590.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}