Medium severity5.3NVD Advisory· Published Jan 29, 2016· Updated May 6, 2026

CVE-2016-0756

Description

The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.

Affected products

Prosody/Prosody
cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*
Range: <=0.9.9

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

blog.prosody.im/prosody-0-9-10-released/nvdPatchVendor Advisory
prosody.im/security/advisory_20160127/nvdVendor Advisory
lists.fedoraproject.org/pipermail/package-announce/2016-February/176796.htmlnvd
lists.fedoraproject.org/pipermail/package-announce/2016-February/176914.htmlnvd
www.debian.org/security/2016/dsa-3463nvd
www.openwall.com/lists/oss-security/2016/01/27/10nvd
www.securityfocus.com/bid/82241nvd
prosody.im/issues/issue/596nvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000