Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows attackers to modify the personal bookmark store via a crafted message. The attacker can change the display of group chats or force a victim to join a group chat; the victim may then be tricked into disclosing sensitive information.

The remote Ubuntu 20.04 LTS / 22.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-7430-1 advisory.

    Kim Alvefur discovered that Dino did not correctly sanitize certain messages. A remote attacker could     possibly use this issue to leak sensitive information.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-ea6b94395f advisory.

    Maintenance release with fix for CVE-2023-28686 and bug fixes.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-587d6a00c3 advisory.

    Maintenance release with fix for CVE-2023-28686 and bug fixes.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-f003d8e633 advisory.

    Maintenance release with fix for CVE-2023-28686 and bug fixes.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5379 advisory.

    Kim Alvefur discovered that insufficient message sender validation in dino-im, a modern XMPP/Jabber     client, may result in manipulation of entries in the personal bookmark store without user interaction via     a specially crafted message. Additionally an attacker can take advantage of this flaw to change how group     chats are displayed or force a user to join or leave an attacker-selected groupchat. For the stable     distribution (bullseye), this problem has been fixed in version 0.2.0-3+deb11u1. We recommend that you     upgrade your dino-im packages. For the detailed security status of dino-im please refer to its security     tracker page at: https://security-tracker.debian.org/tracker/dino-im

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the dec6b8e9-c9fe-11ed-bb39-901b0e9408dc advisory.

  - Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows attackers to modify the personal     bookmark store via a crafted message. The attacker can change the display of group chats or force a victim     to join a group chat; the victim may then be tricked into disclosing sensitive information.
    (CVE-2023-28686)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
234117	Ubuntu 20.04 LTS / 22.04 LTS : Dino vulnerability (USN-7430-1)	Nessus	Ubuntu Local Security Checks	high
173749	Fedora 38 : dino (2023-ea6b94395f)	Nessus	Fedora Local Security Checks	high
173748	Fedora 36 : dino (2023-587d6a00c3)	Nessus	Fedora Local Security Checks	high
173743	Fedora 37 : dino (2023-f003d8e633)	Nessus	Fedora Local Security Checks	high
173650	Debian DSA-5379-1 : dino-im - security update	Nessus	Debian Local Security Checks	high
173371	FreeBSD : dino -- Insufficient message sender validation in Dino (dec6b8e9-c9fe-11ed-bb39-901b0e9408dc)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2023-28686

high

Tenable Plugins

high

high

high

high

high

high