An issue exists in Pidgin prior to 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the malicious user to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
pidgin pidgin |
||
debian debian linux 9.0 |