PatchSiren cyber security CVE debrief

CVE-2017-5602 Jappix Project CVE debrief

CVE-2017-5602 affects Jappix 1.0.0 through 1.1.6 and stems from an incorrect implementation of XEP-0280 Message Carbons. A remote attacker can cause the application to display messages as if they came from another user, including contacts, which can mislead users and support social engineering attacks.

Vendor: Jappix Project
Product: CVE-2017-5602
CVSS: MEDIUM 5.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-09
Original CVE updated: 2026-05-13
Advisory published: 2017-02-09
Advisory updated: 2026-05-13

Who should care

Administrators of Jappix deployments running 1.0.0-1.1.6, and security teams responsible for chat identity verification, phishing resistance, and client-side trust controls in XMPP environments.

Technical summary

NVD assigns this issue to Jappix versions 1.0.0-1.1.6 and records CVSS 3.0 as AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N, reflecting a network-reachable integrity problem rather than code execution or service disruption. The core flaw is an incorrect Message Carbons handling path that lets a remote party spoof sender identity in the UI, creating a believable impersonation channel for deceptive messages.

Defensive priority

Medium priority. The impact is primarily user deception and message integrity loss, but the attack is remote, requires no privileges, and can be used for convincing social engineering, so exposed deployments should be patched promptly.

Recommended defensive actions

Upgrade Jappix to a version that includes the upstream fix referenced by the project commit in the advisory trail.
If immediate upgrade is not possible, review whether Message Carbons can be restricted or disabled in your deployment path.
Educate users not to trust sensitive requests based only on displayed sender names in chat clients.
Monitor for suspicious message identity mismatches or conversations that appear to come from contacts but contain unexpected requests.
Confirm any fix by checking the Jappix release or patch history tied to the referenced GitHub commit.

Evidence notes

The NVD record for CVE-2017-5602 lists Jappix 1.0.0-1.1.6 as vulnerable and provides the CVSS 3.0 vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N, with CWE-20 and CWE-346 as the recorded weaknesses. MITRE/NVD references include an Openwall oss-security post, a Jappix GitHub patch commit, a SecurityFocus entry, and RT-Solutions technical advisories describing the XMPP Message Carbons impersonation and social-engineering risk. No evidence in the supplied corpus indicates code execution, data theft, or availability impact.

Official resources

CVE-2017-5602 CVE record
CVE.org
CVE-2017-5602 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Mailing List, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Exploit, Technical Description, Third Party Advisory
Mitigation or vendor reference
[email protected] - Exploit, Technical Description, Third Party Advisory

Published on 2017-02-09; the supplied NVD record was last modified on 2026-05-13.