CVE-2016-0756

The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.
Severity
MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Atk. Vector
NETWORK
Atk. Complexity
LOW
Priv. Required
NONE
Base Score
CVSS 3.x
EPSS Score
Percentile: 81%
VendorProductVersion
prosodyprosody
𝑥
≤ 0.9.9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
prosody
bullseye (security)
0.11.9-2+deb11u2
fixed
bullseye
0.11.9-2+deb11u2
fixed
bookworm
0.12.3-1
fixed
trixie
0.12.4-1
fixed
sid
0.12.4-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
prosody
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
ignored
zesty
ignored
yakkety
ignored
xenial
Fixed 0.9.10-1
released
wily
ignored
vivid
Fixed 0.9.7-2+deb8u3build0.15.04.1
released
trusty
dne
precise
ignored