Medium severity5.9NVD Advisory· Published Feb 9, 2017· Updated May 13, 2026

CVE-2017-5606

Description

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Xabber (only if manually enabled: 1.0.30, 1.0.30 VIP, beta 1.0.3 - 1.0.74; Android).

Affected products

Xabber/Xabber2 versions
cpe:2.3:a:xabber:xabber:*:*:*:*:-:android:*:*+ 1 more
- cpe:2.3:a:xabber:xabber:*:*:*:*:-:android:*:*range: <=1.0.30
- cpe:2.3:a:xabber:xabber:*:*:*:*:vip:android:*:*range: <=1.0.30

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

openwall.com/lists/oss-security/2017/02/09/29nvdExploitMailing ListThird Party Advisory
rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/nvdExploitTechnical DescriptionThird Party Advisory
rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdfnvdExploitTechnical DescriptionThird Party Advisory
www.securityfocus.com/bid/96186nvdThird Party AdvisoryVDB Entry

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000