CVE-2017-5590 Chatsecure CVE debrief

Who should care

Security teams, administrators, and users of ChatSecure or Zom on iOS—especially where XMPP chat is used for sensitive communication, approvals, or identity-sensitive workflows.

Technical summary

NVD rates the issue CVSS 3.0 5.9/Medium with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N and lists CWE-20 and CWE-346. The flaw is described as an incorrect implementation of XEP-0280 Message Carbons, allowing remote impersonation in the application's display rather than code execution or service disruption. The affected iOS CPEs include ChatSecure 3.2.0-4.0.0 and Zom up to 1.0.11.

Defensive priority

Medium. The vulnerability does not indicate data disclosure or availability impact, but it can materially undermine message authenticity and be used for social engineering or fraud.

Recommended defensive actions

• Identify any deployments using ChatSecure 3.2.0-4.0.0 or Zom 1.0.11 or earlier on iOS.
• Upgrade to a release that includes the vendor fixes linked in the CVE record, or backport the referenced patches where appropriate.
• Until remediation is complete, treat displayed sender identity as untrusted for sensitive requests and verify high-risk messages through a separate channel.
• Review workflows that rely on chat identity for approvals, payments, or access decisions.
• Monitor vendor advisories and validate patched builds before broad rollout.

Evidence notes

The CVE record and NVD entry both identify the affected iOS versions and the XMPP Message Carbons impersonation issue. The NVD record also provides the CVSS vector and weakness classifications. The CVE references include vendor patch commits for ChatSecure and Zom, plus a third-party technical advisory discussing the spoofing behavior. This debrief uses the CVE publication date of 2017-02-09 for timing context; it does not treat the later NVD modification date as the issue date.

Official resources