CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2022-26491
https://notcve.org/view.php?id=CVE-2022-26491
An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968. Se ha detectado un problema en Pidgin versiones anteriores a 2.14.9. • https://developer.pidgin.im/wiki/FullChangeLog https://github.com/xsf/xeps/pull/1158 https://keep.imfreedom.org/pidgin/pidgin/rev/13cdb7956bdc https://lists.debian.org/debian-lts-announce/2022/06/msg00005.html https://mail.jabber.org/pipermail/standards/2022-February/038759.html https://pidgin.im/about/security/advisories/cve-2022-26491 • CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2017-2640 – pidgin: Out-of-bounds write in purple_markup_unescape_entity triggered by invalid XML
https://notcve.org/view.php?id=CVE-2017-2640
An out-of-bounds write flaw was found in the way Pidgin before 2.12.0 processed XML content. A malicious remote server could potentially use this flaw to crash Pidgin or execute arbitrary code in the context of the pidgin process. Se ha encontrado una vulnerabilidad de escritura fuera de límites en el modo en que Pidgin en versiones anteriores a la 2.12.0 procesaba el contenido XML. Un servidor remoto malicioso podría usar esta vulnerabilidad para provocar el cierre inesperado de Pidgin o ejecutar código arbitrario en el contexto del proceso pidgin. An out-of-bounds write flaw was found in the way Pidgin processed XML content. • http://www.securityfocus.com/bid/96775 https://access.redhat.com/errata/RHSA-2017:1854 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2640 https://security.gentoo.org/glsa/201706-10 https://www.debian.org/security/2017/dsa-3806 https://access.redhat.com/security/cve/CVE-2017-2640 https://bugzilla.redhat.com/show_bug.cgi?id=1430019 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2016-1000030
https://notcve.org/view.php?id=CVE-2016-1000030
Pidgin version <2.11.0 contains a vulnerability in X.509 Certificates imports specifically due to improper check of return values from gnutls_x509_crt_init() and gnutls_x509_crt_import() that can result in code execution. This attack appear to be exploitable via custom X.509 certificate from another client. This vulnerability appears to have been fixed in 2.11.0. Pidgin en versiones anteriores a la 2.11.0 contiene una vulnerabilidad en las importaciones de certificados X.509, concretamente debido a la comprobación incorrecta de valores de retorno de gnutls_x509_crt_init() y gnutls_x509_crt_import() que puede resultar en la ejecución de código. Este ataque parece ser explotable mediante un certificado X.509 personalizado de otro cliente. • https://access.redhat.com/security/cve/cve-2016-1000030 https://bitbucket.org/pidgin/main/commits/d6fc1ce76ffe https://pidgin.im/news/security/?id=91 https://security.gentoo.org/glsa/201701-38 https://www.suse.com/pt-br/security/cve/CVE-2016-1000030 • CWE-295: Improper Certificate Validation •
CVSS: 5.8EPSS: 0%CPEs: 5EXPL: 1CVE-2016-4323
https://notcve.org/view.php?id=CVE-2016-4323
A directory traversal exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an overwrite of files. A malicious server or someone with access to the network traffic can provide an invalid filename for a splash image triggering the vulnerability. Exste un salto de directorio en el manejo del protocolo MXIT en Pidgin. Datos MXIT especialmente manipulados enviados desde el servidor podrían resultar potencialmente en una sobreescritura de archivos. un servidor malicioso o alguien con acceso al tráfico de red puede proveer un nombre de archivo inválido para una imagen gráfica que desencadena la vulnerabilidad. • http://www.debian.org/security/2016/dsa-3620 http://www.pidgin.im/news/security/?id=97 http://www.securityfocus.com/bid/91335 http://www.talosintelligence.com/reports/TALOS-2016-0128 http://www.ubuntu.com/usn/USN-3031-1 https://security.gentoo.org/glsa/201701-38 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2016-2365
https://notcve.org/view.php?id=CVE-2016-2365
A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a null pointer dereference. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash. Existe una vulnerabilidad de denegación de servicio en el manejo del protocolo MXIT en Pidgin. Datos MXIT especialmente manipulados enviados a través del servidor podrían resultar potencialmente en una referencia a puntero nulo. • http://www.debian.org/security/2016/dsa-3620 http://www.pidgin.im/news/security/?id=98 http://www.securityfocus.com/bid/91335 http://www.talosintelligence.com/reports/TALOS-2016-0133 http://www.ubuntu.com/usn/USN-3031-1 https://security.gentoo.org/glsa/201701-38 • CWE-476: NULL Pointer Dereference •