{"id":"CVE-2017-5592","details":"An incorrect implementation of \"XEP-0280: Message Carbons\" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for profanity (0.4.7 - 0.5.0).","modified":"2026-04-11T04:59:42.171349Z","published":"2017-02-09T20:59:00.293Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/96173"},{"type":"FIX","url":"https://github.com/boothj5/profanity/commit/8e75437a7e43d4c55e861691f74892e666e29b0b"},{"type":"EVIDENCE","url":"http://openwall.com/lists/oss-security/2017/02/09/29"},{"type":"EVIDENCE","url":"https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/"},{"type":"EVIDENCE","url":"https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/profanity-im/profanity","events":[{"introduced":"0"},{"last_affected":"60acf6f05be8f121b0d06b65cea484fd30ac7925"},{"introduced":"0"},{"last_affected":"4c049fb347b30841179cc10ec4204200fcd603dc"},{"introduced":"0"},{"last_affected":"662f9911961eccf52c51e7e1c2fc7a925ab335be"},{"introduced":"0"},{"last_affected":"b5233064ccd10019b5aca93ae4cc2f883e206c70"},{"introduced":"0"},{"last_affected":"4c049fb347b30841179cc10ec4204200fcd603dc"},{"introduced":"0"},{"last_affected":"6d274ba846caea15be4f9089235a72000f59a5eb"},{"introduced":"0"},{"last_affected":"ea9216f05484e7935f7d1772c2788f44fdf52eb7"},{"fixed":"8e75437a7e43d4c55e861691f74892e666e29b0b"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.4.7-NA"},{"introduced":"0"},{"last_affected":"0.4.7-cyg1"},{"introduced":"0"},{"last_affected":"0.4.7-cyg2"},{"introduced":"0"},{"last_affected":"0.4.7-cyg3"},{"introduced":"0"},{"last_affected":"0.4.7-patch1"},{"introduced":"0"},{"last_affected":"0.5.0-NA"},{"introduced":"0"},{"last_affected":"0.5.0-rc1"}]}}],"versions":["0.1.10","0.1.7","0.1.8","0.2.0","0.3.0","0.3.0.rc1","0.3.0.rc2","0.3.0.rc3","0.4.0","0.4.0.rc1","0.4.0.rc2","0.4.1","0.4.1.rc1","0.4.1.rc2","0.4.2","0.4.3","0.4.3.rc1","0.4.3.rc2","0.4.3.rc3","0.4.4","0.4.5","0.4.5.rc1","0.4.6.rc1","0.4.7","0.4.7.cyg1","0.4.7.cyg2","0.4.7.cyg3","0.4.7.patch1","0.4.7.rc1","0.4.7.rc2","0.5.0","0.5.0.rc1"],"database_specific":{"vanir_signatures":[{"target":{"file":"tests/functionaltests/test_carbons.c"},"signature_version":"v1","source":"https://github.com/profanity-im/profanity/commit/8e75437a7e43d4c55e861691f74892e666e29b0b","signature_type":"Line","digest":{"line_hashes":["43674570987415379562834289238571991228","85997097170914970319998696623555001435","199915616696410343235400945864382345600","67141778361390527333760574197905403924"],"threshold":0.9},"id":"CVE-2017-5592-605a0cf6","deprecated":false},{"target":{"file":"src/xmpp/message.c"},"signature_version":"v1","source":"https://github.com/profanity-im/profanity/commit/8e75437a7e43d4c55e861691f74892e666e29b0b","signature_type":"Line","digest":{"line_hashes":["269672725800911013049720229985177148429","147937880059459280781124999408304611935","98013001733306130113818985562635411688","48435102129655158876459487600381447272","274643813655947615398101824109268710667","323088572927188402907203319880457121370","9590343397176827005811879247126636121"],"threshold":0.9},"id":"CVE-2017-5592-838b1a83","deprecated":false},{"target":{"file":"tests/functionaltests/test_carbons.c","function":"receive_carbon"},"signature_version":"v1","source":"https://github.com/profanity-im/profanity/commit/8e75437a7e43d4c55e861691f74892e666e29b0b","signature_type":"Function","digest":{"length":1119,"function_hash":"44724400157544853113936891218358527427"},"id":"CVE-2017-5592-8d394e89","deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-5592.json","vanir_signatures_modified":"2026-04-11T04:59:42Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}