You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
User Impersonation in converse.js
Moderate severity
GitHub Reviewed
Published
Sep 11, 2020
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Versions of converse.js prior to 1.0.7 for 1.x or 2.0.5 for 2.x are vulnerable to User Impersonation. The package provides an incorrect implementation of XEP-0280: Message Carbons that allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks.
Recommendation
If you're using converse.js 1.x, upgrade to 1.0.7 or later.
If you're using converse.js 2.x, upgrade to 2.0.5 or later.
Versions of
converse.jsprior to 1.0.7 for 1.x or 2.0.5 for 2.x are vulnerable to User Impersonation. The package provides an incorrect implementation of XEP-0280: Message Carbons that allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks.Recommendation
If you're using
converse.js1.x, upgrade to 1.0.7 or later.If you're using
converse.js2.x, upgrade to 2.0.5 or later.References