We urge you to update to Monal ≥ 4.9 if you haven’t done it yet.

We discovered a security bug in Monal < 4.9 dubbed CVE-2020-26547:

Monal before 4.9 does not implement proper sender verification on MAM and Message Carbon (XEP-0280) results. This allows a remote attacker
(able to send stanzas to a victim) to inject arbitrary messages into
the local history, with full control over the sender and receiver displayed
to the victim.

CVE-2020-26547

Thilo and Friedrich

One thought on “CVE-2020-26547”

Comments are closed.