#VU21170 Insufficient verification of data authenticity in Dino - CVE-2019-16235

Cybersecurity Help s.r.o.

Published: 2019-09-17 | Updated: 2023-03-30

Vulnerability identifier: #VU21170

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-16235

CWE-ID: CWE-345

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Dino
Client/Desktop applications / Messaging software

Vendor: Dino Team

Description

The vulnerability allows a remote attacker to spoof messages.

The vulnerability exists due to incorrect verification of the sender in module/xep/0280_message_carbons.vala. A remote attacker can spoof the sender of carbons messages.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Dino: 0.0

External links
https://www.openwall.com/lists/oss-security/2019/09/12/5
https://github.com/dino/dino/commit/e84f2c49567e86d2a261ea264d65c4adc549c930
https://gultsch.de/dino_multiple.html
https://seclists.org/bugtraq/2019/Sep/31

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for Dino

Multiple vulnerabilities in Dino XMPP client

Debian update for dino-im

Fedora 31 update for dino

Fedora 29 update for dino

Fedora 30 update for dino