Description
Versions of converse.js prior to 1.0.7 for 1.x or 2.0.5 for 2.x are vulnerable to User Impersonation. The package provides an incorrect implementation of XEP-0280: Message Carbons that allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display.
Recommendation
Update the converse.js package to the latest compatible version. Followings are version details:
Affected version(s): **>= 2.0.0, < 2.0.5 < 1.0.7** Patched version(s): **2.0.5 1.0.7**
References
- GHSA-w973-2qcc-p78x
- snyk.io
- www.npmjs.com
- www.openwall.com
- rt-solutions.de
- openwall.com
- www.securityfocus.com
- CVE-2017-5858
- CWE-20
- CWE-346
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- method-override ReDoS when untrusted user input passed into X-HTTP-Method-Override header - CVE-2017-16136
- matrix-js-sdk subject to user impersonation due to key/device identifier confusion in SAS verification - CVE-2022-39250
- Converse.js Exposure of Sensitive Information - CVE-2018-6591
- Volto affected by possible DoS by invoking specific URL by anonymous user - CVE-2025-58047
- Tags:
- npm
- converse.js
Anything's wrong? Let us know Last updated on January 09, 2023