WebSocket Connection Hijacking Vulnerability in Mellium XMPP Library

WebSocket Connection Hijacking Vulnerability in Mellium XMPP Library

CVE-2022-24968 · MEDIUM Severity

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

In Mellium mellium.im/xmpp through 0.21.0, an attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail. This occurs because the wrong host name is selected during this verification.

Learn more about our Web App Pen Testing.