Medium severity5.9NVD Advisory· Published Feb 9, 2017· Updated Jun 17, 2026
CVE-2017-5591
CVE-2017-5591
Description
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and Slixmpp all versions up to 1.2.3, as bundled in poezio (0.8 - 0.10) and other products.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
slixmppPyPI | < 1.2.4 | 1.2.4 |
SleekXMPPPyPI | < 1.3.2 | 1.3.2 |
Affected products
8- ghsa-coords2 versions
< 1.3.2+ 1 more
- (no CPE)range: < 1.3.2
- (no CPE)range: < 1.2.4
Patches
Vulnerability mechanics
References
15- github.com/poezio/slixmpp/commit/22664ee7b86c8e010f312b66d12590fb47160ad8nvdPatchWEB
- openwall.com/lists/oss-security/2017/02/09/29nvdExploitMailing ListThird Party AdvisoryWEB
- rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/nvdExploitTechnical DescriptionThird Party Advisory
- rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdfnvdExploitTechnical DescriptionThird Party AdvisoryWEB
- www.securityfocus.com/bid/96166nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-c35g-jr5f-h83pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-5591ghsaADVISORY
- github.com/fritzy/SleekXMPP/commit/285495d5ee2427d93d961ceedcd1829383e5196dghsaWEB
- github.com/fritzy/SleekXMPP/issues/442ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/sleekxmpp/PYSEC-2017-103.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/slixmpp/PYSEC-2017-104.yamlghsaWEB
- pypi.org/project/sleekxmppghsaWEB
- pypi.org/project/slixmppghsaWEB
- rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbonsghsaWEB
- web.archive.org/web/20200227192025/http://www.securityfocus.com/bid/96166ghsaWEB
News mentions
0No linked articles in our index yet.