PatchSiren cyber security CVE debrief

CVE-2016-9107 Otr CVE debrief

CVE-2016-9107 is an information-disclosure issue in the OTR plugin for Gajim. When XHTML is used, the plugin can send information in cleartext, which can expose sensitive data to a remote attacker. NVD rates the issue HIGH, with a network-reachable attack path and no privileges or user interaction required.

Vendor: Otr
Product: CVE-2016-9107
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-13
Original CVE updated: 2026-05-13
Advisory published: 2017-01-13
Advisory updated: 2026-05-13

Who should care

Anyone running Gajim with the OTR plugin enabled, especially environments where XHTML messaging is used or where chat content may include sensitive information. Security teams supporting end users, messaging infrastructure, or privacy-sensitive communications should prioritize review.

Technical summary

NVD maps this issue to CWE-200 and lists the vulnerable CPE as cpe:2.3:a:otr:gajim-otr:-:*:*:*:*:*:*:*. The published CVSS 3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which indicates remote, unauthenticated exposure of confidential data without integrity or availability impact. The source description attributes the leak to cleartext transmission when XHTML is used.

Defensive priority

High: this is a remote confidentiality issue with no authentication or user interaction required, and the published CVSS score is 7.5.

Recommended defensive actions

Check whether Gajim's OTR plugin is installed and whether XHTML features are enabled or used in your deployment.
Apply the upstream fix referenced by the project issue tracker and related changeset, or update to a release that includes the patch.
If immediate patching is not possible, disable or avoid XHTML use in affected workflows to reduce exposure.
Assume sensitive content handled through the affected path may have been exposed and review whether additional operational response is needed.
Use the official CVE and NVD records, plus the project references, to confirm the applicable remediated build for your environment.

Evidence notes

The vulnerability description states that the OTR plugin for Gajim sends information in cleartext when using XHTML, allowing remote attackers to obtain sensitive information via unspecified vectors. NVD supplies the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N and CWE-200. The reference set includes oss-security mailing-list posts dated 2016-10-30, SecurityFocus BID 94099, Gajim issue 145, and a related changeset, which together support the public disclosure and patch trail.

Official resources

CVE-2016-9107 CVE record
CVE.org
CVE-2016-9107 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
Source reference
[email protected] - Permissions Required

Public disclosure appears in oss-security mailing-list posts dated 2016-10-30; the CVE was published by NVD on 2017-01-13. The source record was later modified on 2026-05-13.