PatchSiren cyber security CVE debrief

CVE-2017-5593 Psi Plus CVE debrief

CVE-2017-5593 is an XMPP client integrity issue in Psi+ where an incorrect implementation of XEP-0280 Message Carbons can let a remote attacker appear as another user in the application display. The practical impact is social engineering: a victim may trust a message or sender identity that was spoofed in the UI. NVD assigns CVSS 3.0 5.9 (Medium) and lists affected Psi+ versions 0.16.563.580 through 0.16.571.627.

Vendor: Psi Plus
Product: CVE-2017-5593
CVSS: MEDIUM 5.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-09
Original CVE updated: 2026-05-13
Advisory published: 2017-02-09
Advisory updated: 2026-05-13

Who should care

Psi+ users, administrators, and anyone relying on message sender identity in XMPP chats should care, especially if affected versions remain deployed in environments where chat-based trust is important.

Technical summary

The NVD record describes an incorrect implementation of XEP-0280 Message Carbons that allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. The listed weakness types are CWE-20 and CWE-346, and the CVSS vector is AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating a network-reachable issue that primarily affects integrity rather than confidentiality or availability.

Defensive priority

Medium. Prioritize remediation if affected Psi+ builds are still in use, because the flaw can undermine trust in chat identity and enable convincing phishing or impersonation inside the client UI.

Recommended defensive actions

Upgrade Psi+ to a version outside the affected range 0.16.563.580 through 0.16.571.627.
Validate that the deployed build includes the patch referenced in the supplied corpus before relying on chat identity for sensitive workflows.
Treat sender identity shown by vulnerable clients as potentially spoofable until remediation is complete.
If upgrading is delayed, reduce reliance on client-displayed identities for approvals, account changes, or other trust-sensitive actions.

Evidence notes

The supplied NVD metadata says the issue is an incorrect implementation of XEP-0280 Message Carbons that allows remote impersonation in the application's display, with affected Psi+ versions explicitly listed as 0.16.563.580 and 0.16.571.627 endpoints in the vulnerable range. The record also provides CVSS 3.0 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N and weaknesses CWE-20 and CWE-346. References in the corpus include a mailing-list disclosure, a patch commit, and a third-party technical advisory. One advisory URL in the supplied references uses CVE-2017-5589 in the path, which appears to be an identifier mismatch relative to this CVE record and should be treated cautiously.

Official resources

CVE-2017-5593 CVE record
CVE.org
CVE-2017-5593 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Mailing List, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Exploit, Technical Description, Third Party Advisory
Mitigation or vendor reference
[email protected] - Exploit, Technical Description, Third Party Advisory

Publicly disclosed and published on 2017-02-09. The NVD record was later modified on 2026-05-13; that modified date does not change the original disclosure date.