Medium severity5.9NVD Advisory· Published Feb 9, 2017· Updated May 13, 2026

CVE-2017-5590

Description

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for ChatSecure (3.2.0 - 4.0.0; only iOS) and Zom (all versions up to 1.0.11; only iOS).

Affected products

Chatsecure/Chatsecure5 versions
cpe:2.3:a:chatsecure:chatsecure:3.2.0:*:*:*:*:iphone_os:*:*+ 4 more
- cpe:2.3:a:chatsecure:chatsecure:3.2.0:*:*:*:*:iphone_os:*:*
- cpe:2.3:a:chatsecure:chatsecure:3.2.1:*:*:*:*:iphone_os:*:*
- cpe:2.3:a:chatsecure:chatsecure:3.2.2:*:*:*:*:iphone_os:*:*
- cpe:2.3:a:chatsecure:chatsecure:3.2.3:*:*:*:*:iphone_os:*:*
- cpe:2.3:a:chatsecure:chatsecure:4.0.0:*:*:*:*:iphone_os:*:*
Zom/Zom
cpe:2.3:a:zom:zom:*:*:*:*:*:iphone_os:*:*
Range: <=1.0.11

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/ChatSecure/ChatSecure-iOS/commit/a340b4bb519227d89f85f2716a10a197a65d4856nvdPatch
github.com/zom/Zom-iOS/commit/880051eaa8ba32d1b257c87a7d8798a93561bfd3nvdPatch
openwall.com/lists/oss-security/2017/02/09/29nvdExploitMailing ListThird Party Advisory
rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/nvdExploitTechnical DescriptionThird Party Advisory
rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdfnvdExploitTechnical DescriptionThird Party Advisory
www.securityfocus.com/bid/96165nvd

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000