MCabber before 1.0.4 is vulnerable to roster push attacks, which allows remote attackers to intercept communications, or add themselves as an entity on a 3rd party's roster as another user, which will also garner associated privileges, via crafted XMPP packets.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | 2.2 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 8.0 |
| mcabber | mcabber | * |
| canonical | ubuntu_linux | 16.04 |
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for mcabber 1.0.0 - 1.0.4.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-346,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mcabber | mcabber | 1.0.3 |
| mcabber | mcabber | 1.0.2 |
| mcabber | mcabber | 1.0.4 |
| mcabber | mcabber | 1.0.0 |
| mcabber | mcabber | 1.0.1 |