Tigase XMPP Server Stanza Smuggling

Discussion in 'News Aggregator' started by Packet Storm, 27 May 2022.

  1. Packet Storm

    Packet Storm Guest

    Tigase XMPP server suffers from a security vulnerability due to not escaping double quote character when serializing parsed XML. This can be used to smuggle (or, if you prefer, inject) an arbitrary attacker-controlled stanza in the XMPP server's output stream. A malicious client can abuse this vulnerability to send arbitrary XMPP stanzas to another client (including the control stanzas that are only meant to be sent by the server).

    Continue reading...
     

Share This Page

Loading...