{"id":"CVE-2017-5858","details":"An incorrect implementation of \"XEP-0280: Message Carbons\" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Converse.js (0.8.0 - 1.0.6, 2.0.0 - 2.0.4).","aliases":["GHSA-w973-2qcc-p78x"],"modified":"2026-04-10T04:06:34.187523Z","published":"2017-02-09T20:59:00.577Z","references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/96183"},{"type":"FIX","url":"https://github.com/jcbrand/converse.js/commit/42f249cabbbf5c026398e6d3b350f6f9536ea572"},{"type":"EVIDENCE","url":"https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/"},{"type":"EVIDENCE","url":"https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf"},{"type":"EVIDENCE","url":"http://openwall.com/lists/oss-security/2017/02/09/29"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/conversejs/converse.js","events":[{"introduced":"0"},{"fixed":"42f249cabbbf5c026398e6d3b350f6f9536ea572"}]},{"type":"GIT","repo":"https://github.com/jcbrand/converse.js","events":[{"introduced":"0"},{"last_affected":"e3dbbf2eae2593bd0ec3d13b562786b8b74aeab9"},{"introduced":"0"},{"last_affected":"c9958182ff3d7bcbc326ab74051a9a846b71af6a"},{"introduced":"0"},{"last_affected":"56ec4cf7bcfc4ddccaf8f3dcf9196bc31543f92c"},{"introduced":"0"},{"last_affected":"d8bf1961a78b08e59d7f41217f6068a9c832157d"},{"introduced":"0"},{"last_affected":"c98e516e3987bbffb6367cee9fa467ca10e937de"},{"introduced":"0"},{"last_affected":"92ed46f84426d1481dcbf3f0265230af4cfe5c44"},{"introduced":"0"},{"last_affected":"303a412b38e1a7da4a8ad5e34ae9f4dae1ff7ca3"},{"introduced":"0"},{"last_affected":"17da00d5c11a5b96ed71378c58e2188543ea9472"},{"introduced":"0"},{"last_affected":"e0e0f1b7d793a80aa9a14814640d97c2ee4358ff"},{"introduced":"0"},{"last_affected":"995c5fdb4489da8a7ccaad1afabd66b98841096a"},{"introduced":"0"},{"last_affected":"145fd016a34db278b8d5b381f22e2bcff39b4030"},{"introduced":"0"},{"last_affected":"4f87fa3c4f939db4d94952ebcd810b12c23e9ec6"},{"introduced":"0"},{"last_affected":"6369465661d00c3242352a0860de4a997a76b78a"},{"introduced":"0"},{"last_affected":"af77b3189ef276306f11839b36ecb0f49f491627"},{"introduced":"0"},{"last_affected":"2253ec3d00bc7078b1df962b686160a0a8042ae3"},{"introduced":"0"},{"last_affected":"cbdda26a195b4d23a70ce049a127ce822f7f6c43"},{"introduced":"0"},{"last_affected":"5fa5f8272ff0af601e9613583e48f7919772ab7c"},{"introduced":"0"},{"last_affected":"8a74cc3323d1b871cc592f83e02336ee1de9bfcb"},{"introduced":"0"},{"last_affected":"1545018edf84962e4360adcb8ffa9c850b3fc8c8"},{"introduced":"0"},{"last_affected":"598e29c9103df7c5a91daae7b9428628e2d3e4d9"},{"introduced":"0"},{"last_affected":"d7c026e12829b3202fb5fc3109ec04c33eea50f1"},{"introduced":"0"},{"last_affected":"4c123d51d4177d4877e25080bb5210c52146277a"},{"introduced":"0"},{"last_affected":"fccd0860eb549f94dcd72d92b4ac3b722cc035a9"},{"introduced":"0"},{"last_affected":"10da240e7ed556a717adef6aa36e9efd709cd887"},{"introduced":"0"},{"last_affected":"8c3ffdffbb722375f32ba26ec1e13c4b83829bee"},{"introduced":"0"},{"last_affected":"829f9ab2161a71143208a1c866ab01f0b4f94bae"},{"introduced":"0"},{"last_affected":"8bbd88ba862f8ea739ada25a4fc4846b920c717b"},{"introduced":"0"},{"last_affected":"06805d80b884fa800cf214560e15b37c396b819a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.8.0"},{"introduced":"0"},{"last_affected":"0.8.1"},{"introduced":"0"},{"last_affected":"0.8.2"},{"introduced":"0"},{"last_affected":"0.8.3"},{"introduced":"0"},{"last_affected":"0.8.4"},{"introduced":"0"},{"last_affected":"0.8.5"},{"introduced":"0"},{"last_affected":"0.8.6"},{"introduced":"0"},{"last_affected":"0.9.0"},{"introduced":"0"},{"last_affected":"0.9.1"},{"introduced":"0"},{"last_affected":"0.9.2"},{"introduced":"0"},{"last_affected":"0.9.3"},{"introduced":"0"},{"last_affected":"0.9.4"},{"introduced":"0"},{"last_affected":"0.9.5"},{"introduced":"0"},{"last_affected":"0.9.6"},{"introduced":"0"},{"last_affected":"0.10.0"},{"introduced":"0"},{"last_affected":"0.10.1"},{"introduced":"0"},{"last_affected":"1.0.0"},{"introduced":"0"},{"last_affected":"1.0.1"},{"introduced":"0"},{"last_affected":"1.0.2"},{"introduced":"0"},{"last_affected":"1.0.3"},{"introduced":"0"},{"last_affected":"1.0.4"},{"introduced":"0"},{"last_affected":"1.0.5"},{"introduced":"0"},{"last_affected":"1.0.6"},{"introduced":"0"},{"last_affected":"2.0.0"},{"introduced":"0"},{"last_affected":"2.0.1"},{"introduced":"0"},{"last_affected":"2.0.2"},{"introduced":"0"},{"last_affected":"2.0.3"},{"introduced":"0"},{"last_affected":"2.0.4"}]}}],"versions":["0.9.4","v0.10.0","v0.10.1","v0.3","v0.5.0","v0.5.1","v0.5.2","v0.6.0","v0.6.1","v0.6.2","v0.6.3","v0.7.0","v0.7.1","v0.7.2","v0.7.3","v0.7.4","v0.8.0","v0.8.1","v0.8.2","v0.8.3","v0.8.4","v0.8.5","v0.8.6","v0.9.0","v0.9.1","v0.9.2","v0.9.3","v0.9.4","v0.9.5","v0.9.6","v1.0.0","v1.0.1","v1.0.2","v1.0.3","v1.0.4","v1.0.5","v1.0.6","v2.0.0","v2.0.1","v2.0.2","v2.0.3","v2.0.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-5858.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}