CVSS: 7.4EPSS: 0%CPEs: 3EXPL: 2CVE-2016-9928
https://notcve.org/view.php?id=CVE-2016-9928
MCabber before 1.0.4 is vulnerable to roster push attacks, which allows remote attackers to intercept communications, or add themselves as an entity on a 3rd party's roster as another user, which will also garner associated privileges, via crafted XMPP packets. MCabber versiones anteriores a 1.0.4, es vulnerable a los ataques de tipo roster push, lo que permite a atacantes remotos interceptar comunicaciones, o agregarse como una entidad en la lista de un tercero como otro usuario, que también obtendrá privilegios asociados, por medio de paquetes XMPP diseñados. • http://lists.opensuse.org/opensuse-updates/2017-01/msg00130.html http://www.openwall.com/lists/oss-security/2016/12/11/2 http://www.openwall.com/lists/oss-security/2017/02/09/29 http://www.securityfocus.com/bid/94862 https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845258 https://bugzilla.redhat.com/show_bug.cgi?id=1403790 https://gultsch.de/gajim_roster_push_and_message_interception.html ht • CWE-269: Improper Privilege Management •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 3CVE-2017-5604
https://notcve.org/view.php?id=CVE-2017-5604
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for mcabber 1.0.0 - 1.0.4. Una implementación incorrecta de "XEP-0280: Message Carbons" en múltiples clientes XMPP permite a un atacante remoto personificar cualquier usuario, incluidos los contactos, en la pantalla de la aplicación vulnerable. Esto permite varios tipos de ataques de ingeniería social. • http://openwall.com/lists/oss-security/2017/02/09/29 http://www.securityfocus.com/bid/96184 https://mcabber.com/hg/rev/2a9569fd7644 https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf • CWE-20: Improper Input Validation CWE-346: Origin Validation Error •