PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5605 Movim CVE debrief

CVE-2017-5605 affects Movim 0.8 through 0.10 and is rooted in an incorrect implementation of XEP-0280 Message Carbons. The practical impact is display-level impersonation: a remote attacker can make the application show messages as if they came from another user, including contacts, which creates a clear social-engineering risk. NVD classifies the issue as medium severity (CVSS 3.0 5.9) with high integrity impact and no direct confidentiality or availability impact.

Vendor
Movim
Product
CVE-2017-5605
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-09
Original CVE updated
2026-05-13
Advisory published
2017-02-09
Advisory updated
2026-05-13

Who should care

Administrators and users of Movim 0.8, 0.8.1, 0.9, and 0.10 should care, especially if the deployment relies on chat identity and message origin for trust decisions. Security teams responsible for XMPP-based messaging workflows should treat this as a phishing and impersonation concern rather than a server compromise issue.

Technical summary

The vulnerability is an incorrect handling of XEP-0280 Message Carbons in Movim’s XMPP client behavior. According to the CVE description, a remote attacker can impersonate any user in the vulnerable application’s display, including contacts. NVD maps the issue to CWE-20 and CWE-346 and assigns CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating network reachability with a significant integrity-only impact.

Defensive priority

Medium. The issue is remotely reachable and can mislead users, but the published severity is moderate and the impact is confined to message integrity/display trust. Prioritize it in environments where users may act on message content without out-of-band verification.

Recommended defensive actions

  • Apply the vendor patch referenced in the Movim moxl commit linked by NVD, or upgrade to a non-vulnerable Movim release if one is available.
  • Confirm whether any deployed instances are running Movim 0.8, 0.8.1, 0.9, or 0.10 and plan remediation accordingly.
  • Warn users that message origin displayed by the client may not be trustworthy until the fix is in place.
  • Review XMPP client and server configurations that rely on Message Carbons and validate that message attribution is handled safely.
  • Use the linked advisory material to brief support and moderation teams on the impersonation risk.

Evidence notes

All statements are based on the supplied CVE record and its referenced official or third-party links as listed by NVD. The CVE description explicitly states that an incorrect implementation of XEP-0280 Message Carbons in multiple XMPP clients allows remote impersonation in the display and that this CVE applies to Movim 0.8 through 0.10. NVD also lists a patch reference in the Movim moxl GitHub commit and classifies the issue with CVSS 3.0 5.9 and CWE-20/CWE-346. No unsupported exploit steps or extra product details are included.

Official resources

NVD records CVE-2017-5605 as published on 2017-02-09T20:59:00.497Z and last modified on 2026-05-13T00:24:29.033Z. Use the published date for disclosure timing; the modified date reflects later record maintenance.