Unverified from Attribute in ParseRoster Component Allows IQ Response Spoofing

Unverified from Attribute in ParseRoster Component Allows IQ Response Spoofing

CVE-2014-0364 · MEDIUM Severity

AV:N/AC:L/AU:N/C:N/I:P/A:N

The ParseRoster component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify the from attribute of a roster-query IQ stanza, which allows remote attackers to spoof IQ responses via a crafted attribute.

Learn more about our Api Penetration Testing.