{"id":"CVE-2017-5591","details":"An incorrect implementation of \"XEP-0280: Message Carbons\" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and Slixmpp all versions up to 1.2.3, as bundled in poezio (0.8 - 0.10) and other products.","aliases":["GHSA-c35g-jr5f-h83p","PYSEC-2017-103","PYSEC-2017-104"],"modified":"2026-05-18T05:49:56.201252996Z","published":"2017-02-09T20:59:00.230Z","database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:a:poezio:poezio:0.10:*:*:*:*:*:*:*","cpe:2.3:a:poezio:poezio:0.8.1:*:*:*:*:*:*:*","cpe:2.3:a:poezio:poezio:0.8:*:*:*:*:*:*:*","cpe:2.3:a:poezio:poezio:0.9:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"poezio:poezio","extracted_events":[{"last_affected":"0.8"},{"last_affected":"0.8.1"},{"last_affected":"0.9"},{"last_affected":"0.10"}]}]},"references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/96166"},{"type":"FIX","url":"https://github.com/poezio/slixmpp/commit/22664ee7b86c8e010f312b66d12590fb47160ad8"},{"type":"EVIDENCE","url":"http://openwall.com/lists/oss-security/2017/02/09/29"},{"type":"EVIDENCE","url":"https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/"},{"type":"EVIDENCE","url":"https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fritzy/sleekxmpp","events":[{"introduced":"0"},{"last_affected":"bb094cc6498838cece046d9ed74881232fb5010d"}],"database_specific":{"cpe":"cpe:2.3:a:sleekxmpp_project:sleekxmpp:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"1.3.1"}]}}],"versions":["sleek-hildjj-dev","sleek-1.3.1","sleek-1.3.0","sleek-1.2.5","sleek-1.2.0","sleek-1.1.9","sleek-1.1.8","sleek-1.1.7","sleek-1.1.6","sleek-1.1.5","sleek-1.1.4","sleek-1.1.3","sleek-1.1.2","sleek-1.1.11","sleek-1.1.10","sleek-1.1.1","sleek-1.1","sleek-1.0.0-beta5","sleek-1.0-RC3","sleek-1.0-RC2","sleek-1.0-RC1","sleek-1.0-Beta6.1","sleek-1.0-Beta6","sleek-1.0-Beta5","sleek-1.0-Beta4","sleek-1.0-Beta3","sleek-1.0-Beta2","sleek-1.0-Beta1","sleek-1.0","sleek-0.9RC1","sleek-0.9-conn-fixes3","sleek-0.9-conn-fixes2","sleek-0.9-conn-fixes1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-5591.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/poezio/slixmpp","events":[{"introduced":"0"},{"last_affected":"fb3ac78bf98a5ca3062d6127e295b601b9503027"}],"database_specific":{"cpe":"cpe:2.3:a:slixmpp_project:slixmpp:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"1.2.3"}]}}],"versions":["slix-1.2.3","slix-1.2.2","slix-1.2.1","slix-1.2","slix-1.1","slix-1.0","sleek-1.3.0","1.3.0","sleek-1.2.5","1.2.5","sleek-1.2.0","1.2.0","sleek-1.1.10","1.1.10","sleek-1.1.9","1.1.9","sleek-1.1.8","1.1.8","sleek-1.1.7","1.1.7","sleek-1.1.6","1.1.6","sleek-1.1.5","1.1.5","sleek-1.1.4","1.1.4","sleek-1.1.3","1.1.3","sleek-1.1.2","1.1.2","sleek-1.1.1","1.1.1","sleek-1.1","1.1","sleek-1.0","1.0","sleek-1.0-RC3","1.0-RC3","sleek-1.0-RC2","1.0-RC2","sleek-1.0-RC1","1.0-RC1","sleek-1.0-Beta2","1.0-Beta2","sleek-1.0-Beta1","1.0-Beta1","sleek-0.9RC1","0.9RC1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-5591.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}