Base Score

MEDIUM4.5

CVE-2016-10376

Gajim through 0.16.7 unconditionally implements the "XEP-0146: Remote Controlling Clients" extension. This can be abused by malicious XMPP servers to, for example, extract plaintext from OTR encrypted sessions.

VectorNETWORK

Published Bycve@mitre.org

Published DateMay 28, 2017, 00:29

Weakness Type (CWE):CWE-310

CVSS Metrics

Base Score

4.5

Vector String

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

Base Severity

MEDIUM

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE

References

http://www.debian.org/security/2017/dsa-3943
https://bugs.debian.org/863445
https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc
https://dev.gajim.org/gajim/gajim/issues/8378
https://mail.jabber.org/pipermail/standards/2016-August/031335.html
https://security.gentoo.org/glsa/201707-14

Base Score

MEDIUM4.5

Weakness Type (CWE):CWE-310

CVSS Metrics

Base Score

4.5

Vector String

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

Base Severity

MEDIUM

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE