Description
Versions of converse.js prior to 1.0.7 for 1.x or 2.0.5 for 2.x are vulnerable to User Impersonation. The package provides an incorrect implementation of XEP-0280: Message Carbons that allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display.
Recommendation
Update the converse.js package to the latest compatible version. Followings are version details:
Affected version(s): **>= 2.0.0, < 2.0.5 < 1.0.7** Patched version(s): **2.0.5 1.0.7**
References
- GHSA-w973-2qcc-p78x
- snyk.io
- www.npmjs.com
- www.openwall.com
- rt-solutions.de
- openwall.com
- www.securityfocus.com
- CVE-2017-5858
- CWE-20
- CWE-346
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- Cross-site Scripting in jquery-ui - CVE-2010-5312
- nuxt Code Injection vulnerability - CVE-2023-3224
- QooxDoo XSS in Callback Parameter - CVE-2011-1714
- Denial of Service in ipfs-bitswap - Vulnerability
- Tags:
- npm
- converse.js
Anything's wrong? Let us know Last updated on January 09, 2023