CVE-2013-6483
Description
Pidgin XMPP plugin (libpurple) before 2.10.8 fails to verify iq reply origins, allowing spoofing and NULL pointer dereference crashes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pidgin XMPP plugin (libpurple) before 2.10.8 fails to verify iq reply origins, allowing spoofing and NULL pointer dereference crashes.
Vulnerability
The XMPP protocol plugin in libpurple, part of Pidgin before version 2.10.8, does not properly validate whether the from attribute in an IQ reply matches the to attribute of the corresponding IQ request [1][2]. This allows a remote attacker to inject crafted IQ replies that appear to come from a trusted entity. The flaw was addressed in Pidgin 2.10.8, released in February 2014 [1][2].
Exploitation
An attacker must be able to inject a malicious IQ reply into the XMPP stream. This can be achieved by controlling a malicious XMPP server or by performing a man-in-the-middle attack on the communication channel. The attacker sends a crafted IQ reply that does not match the expected source address, and the vulnerable plugin processes it without proper verification, leading to either spoofing of IQ traffic or a NULL pointer dereference [1][2].
Impact
Successful exploitation allows the attacker to spoof IQ traffic, potentially injecting fake data into the client session. Additionally, a crafted reply can trigger a NULL pointer dereference, causing Pidgin to crash and resulting in a denial of service. The vulnerability does not allow remote code execution, but it compromises data integrity and availability [1][2].
Mitigation
The vulnerability is fixed in Pidgin version 2.10.8, released on 2014-02-06 [1][2]. Users should upgrade to this version or later. Red Hat Enterprise Linux 5 and 6 users can apply the updated packages from RHSA-2014-0139 [1]. Ubuntu users can apply USN-2100-1 [2]. No workarounds are documented for unpatched installations.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
54cpe:2.3:a:pidgin:pidgin:*:*:*:*:*:*:*:*+ 53 more
- cpe:2.3:a:pidgin:pidgin:*:*:*:*:*:*:*:*range: <=2.10.7
- cpe:2.3:a:pidgin:pidgin:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.10.6:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.7.10:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.7.11:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.7.9:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:pidgin:pidgin:2.9.0:*:*:*:*:*:*:*
- (no CPE)range: <2.10.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- pidgin.im/news/security/nvdVendor Advisory
- hg.pidgin.im/pidgin/main/rev/93d4bff19574nvd
- lists.opensuse.org/opensuse-updates/2014-02/msg00039.htmlnvd
- lists.opensuse.org/opensuse-updates/2014-03/msg00005.htmlnvd
- www.debian.org/security/2014/dsa-2859nvd
- www.ubuntu.com/usn/USN-2100-1nvd
- rhn.redhat.com/errata/RHSA-2014-0139.htmlnvd
News mentions
0No linked articles in our index yet.