PidginCVEs & Vulnerabilities

90 CVEs affecting Pidgin products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

pidgin 2.008libpurple 57mxit 1
CVE-2022-26491MEDIUM

An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968.

2 Jun 2022
5.9
CVSS
CVE-2012-1257MEDIUMpoc

Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor.

20 Nov 2019
5.5
CVSS
CVE-2016-1000030CRITICAL

Pidgin version <2.11.0 contains a vulnerability in X.509 Certificates imports specifically due to improper check of return values from gnutls_x509_crt_init() and gnutls_x509_crt_import() that can result in code execution. This attack appear to be exploitable via custom X.509 certificate from another client. This vulnerability appears to have been fixed in 2.11.0.

5 Sep 2018
9.8
CVSS
CVE-2017-2640HIGH

An out-of-bounds write flaw was found in the way Pidgin before 2.12.0 processed XML content. A malicious remote server could potentially use this flaw to crash Pidgin or execute arbitrary code in the context of the pidgin process.

27 Jul 2018
7.5
CVSS
CVE-2016-2379HIGH

The Mxit protocol uses weak encryption when encrypting user passwords, which might allow attackers to (1) decrypt hashed passwords by leveraging knowledge of client registration codes or (2) gain login access by eavesdropping on login messages and re-using the hashed passwords.

29 Mar 2017
8.8
CVSS
CVE-2016-4323LOW

A directory traversal exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an overwrite of files. A malicious server or someone with access to the network traffic can provide an invalid filename for a splash image triggering the vulnerability.

6 Jan 2017
3.7
CVSS
CVE-2016-2380LOW

An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out-of-bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and could lead to a potential out-of-bounds read.

6 Jan 2017
3.1
CVSS
CVE-2016-2378HIGH

A buffer overflow vulnerability exists in the handling of the MXIT protocol Pidgin. Specially crafted data sent via the server could potentially result in a buffer overflow, potentially resulting in memory corruption. A malicious server or an unfiltered malicious user can send negative length values to trigger this vulnerability.

6 Jan 2017
8.1
CVSS
CVE-2016-2377HIGH

A buffer overflow vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent by the server could potentially result in an out-of-bounds write of one byte. A malicious server can send a negative content-length in response to a HTTP request triggering the vulnerability.

6 Jan 2017
8.1
CVSS
CVE-2016-2376HIGH

A buffer overflow vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in arbitrary code execution. A malicious server or an attacker who intercepts the network traffic can send an invalid size for a packet which will trigger a buffer overflow.

6 Jan 2017
8.1
CVSS
CVE-2016-2375MEDIUM

An exploitable out-of-bounds read exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT contact information sent from the server can result in memory disclosure.

6 Jan 2017
5.3
CVSS
CVE-2016-2374HIGH

An exploitable memory corruption vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT MultiMX message sent via the server can result in an out-of-bounds write leading to memory disclosure and code execution.

6 Jan 2017
8.1
CVSS
CVE-2016-2373MEDIUM

A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or user can send an invalid mood to trigger this vulnerability.

6 Jan 2017
5.9
CVSS
CVE-2016-2372MEDIUM

An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious user, server, or man-in-the-middle attacker can send an invalid size for a file transfer which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the file is sent to another user.

6 Jan 2017
5.9
CVSS
CVE-2016-2371HIGH

An out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution.

6 Jan 2017
8.1
CVSS
CVE-2016-2370MEDIUM

A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an out-of-bounds read. A malicious server or man-in-the-middle attacker can send invalid data to trigger this vulnerability.

6 Jan 2017
5.9
CVSS
CVE-2016-2369MEDIUM

A NULL pointer dereference vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a denial of service vulnerability. A malicious server can send a packet starting with a NULL byte triggering the vulnerability.

6 Jan 2017
5.9
CVSS
CVE-2016-2368HIGH

Multiple memory corruption vulnerabilities exist in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could result in multiple buffer overflows, potentially resulting in code execution or memory disclosure.

6 Jan 2017
8.1
CVSS
CVE-2016-2367MEDIUM

An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious user, server, or man-in-the-middle can send an invalid size for an avatar which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the avatar is sent to another user.

6 Jan 2017
5.9
CVSS
CVE-2016-2366MEDIUM

A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.

6 Jan 2017
5.9
CVSS
CVE-2016-2365MEDIUM

A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a null pointer dereference. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.

6 Jan 2017
5.9
CVSS
CVE-2014-3698MEDIUM

The jabber_idn_validate function in jutil.c in the Jabber protocol plugin in libpurple in Pidgin before 2.10.10 allows remote attackers to obtain sensitive information from process memory via a crafted XMPP message.

29 Oct 2014
5.0
CVSS
CVE-2014-3697MEDIUM

Absolute path traversal vulnerability in the untar_block function in win32/untar.c in Pidgin before 2.10.10 on Windows allows remote attackers to write to arbitrary files via a drive name in a tar archive of a smiley theme.

29 Oct 2014
6.4
CVSS
CVE-2014-3696MEDIUM

nmevent.c in the Novell GroupWise protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a crafted server message that triggers a large memory allocation.

29 Oct 2014
5.0
CVSS
CVE-2014-3695MEDIUM

markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a large length value in an emoticon response.

29 Oct 2014
5.0
CVSS
CVE-2014-3694MEDIUM

The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

29 Oct 2014
6.4
CVSS
CVE-2013-6490CRITICAL

The SIMPLE protocol functionality in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a negative Content-Length header, which triggers a buffer overflow.

6 Feb 2014
10.0
CVSS
CVE-2013-6489MEDIUM

Integer signedness error in the MXit functionality in Pidgin before 2.10.8 allows remote attackers to cause a denial of service (segmentation fault) via a crafted emoticon value, which triggers an integer overflow and a buffer overflow.

6 Feb 2014
5.0
CVSS
CVE-2013-6487HIGH

Integer overflow in libpurple/protocols/gg/lib/http.c in the Gadu-Gadu (gg) parser in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a large Content-Length value, which triggers a buffer overflow.

6 Feb 2014
7.5
CVSS
CVE-2013-6482MEDIUM

Pidgin before 2.10.8 allows remote MSN servers to cause a denial of service (NULL pointer dereference and crash) via a crafted (1) SOAP response, (2) OIM XML response, or (3) Content-Length header.

6 Feb 2014
5.0
CVSS
CVE-2013-6481MEDIUM

libpurple/protocols/yahoo/libymsg.c in Pidgin before 2.10.8 allows remote attackers to cause a denial of service (crash) via a Yahoo! P2P message with a crafted length field, which triggers a buffer over-read.

6 Feb 2014
5.0
CVSS
CVE-2014-0020MEDIUM

The IRC protocol plugin in libpurple in Pidgin before 2.10.8 does not validate argument counts, which allows remote IRC servers to cause a denial of service (application crash) via a crafted message.

6 Feb 2014
5.0
CVSS
CVE-2013-6486CRITICAL

gtkutils.c in Pidgin before 2.10.8 on Windows allows user-assisted remote attackers to execute arbitrary programs via a message containing a file: URL that is improperly handled during construction of an explorer.exe command. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3185.

6 Feb 2014
9.3
CVSS
CVE-2013-6485MEDIUM

Buffer overflow in util.c in libpurple in Pidgin before 2.10.8 allows remote HTTP servers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid chunk-size field in chunked transfer-coding data.

6 Feb 2014
5.0
CVSS
CVE-2013-6484MEDIUM

The STUN protocol implementation in libpurple in Pidgin before 2.10.8 allows remote STUN servers to cause a denial of service (out-of-bounds write operation and application crash) by triggering a socket read error.

6 Feb 2014
5.0
CVSS
CVE-2013-6483MEDIUM

The XMPP protocol plugin in libpurple in Pidgin before 2.10.8 does not properly determine whether the from address in an iq reply is consistent with the to address in an iq request, which allows remote attackers to spoof iq traffic or cause a denial of service (NULL pointer dereference and application crash) via a crafted reply.

6 Feb 2014
6.4
CVSS
CVE-2013-6479MEDIUM

util.c in libpurple in Pidgin before 2.10.8 does not properly allocate memory for HTTP responses that are inconsistent with the Content-Length header, which allows remote HTTP servers to cause a denial of service (application crash) via a crafted response.

6 Feb 2014
5.0
CVSS
CVE-2013-6478MEDIUM

gtkimhtml.c in Pidgin before 2.10.8 does not properly interact with underlying library support for wide Pango layouts, which allows user-assisted remote attackers to cause a denial of service (application crash) via a long URL that is examined with a tooltip.

6 Feb 2014
4.3
CVSS
CVE-2013-6477MEDIUM

Multiple integer signedness errors in libpurple in Pidgin before 2.10.8 allow remote attackers to cause a denial of service (application crash) via a crafted timestamp value in an XMPP message.

6 Feb 2014
5.0
CVSS
CVE-2012-6152MEDIUM

The Yahoo! protocol plugin in libpurple in Pidgin before 2.10.8 does not properly validate UTF-8 data, which allows remote attackers to cause a denial of service (application crash) via crafted byte sequences.

6 Feb 2014
5.0
CVSS
CVE-2013-0274LOW

upnp.c in libpurple in Pidgin before 2.10.7 does not properly terminate long strings in UPnP responses, which allows remote attackers to cause a denial of service (application crash) by leveraging access to the local network.

16 Feb 2013
2.9
CVSS
CVE-2013-0273MEDIUM

sametime.c in the Sametime protocol plugin in libpurple in Pidgin before 2.10.7 does not properly terminate long user IDs, which allows remote servers to cause a denial of service (application crash) via a crafted packet.

16 Feb 2013
5.0
CVSS
CVE-2013-0272MEDIUM

Buffer overflow in http.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.7 allows remote servers to execute arbitrary code via a long HTTP header.

16 Feb 2013
6.8
CVSS
CVE-2013-0271MEDIUM

The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might allow remote attackers to create or overwrite files via a crafted (1) mxit or (2) mxit/imagestrips pathname.

16 Feb 2013
5.0
CVSS
CVE-2011-4922LOW

cipher.c in the Cipher API in libpurple in Pidgin before 2.7.10 retains encryption-key data in process memory, which might allow local users to obtain sensitive information by reading a core file or other representation of memory contents.

8 Aug 2012
2.1
CVSS
CVE-2012-3374HIGH

Buffer overflow in markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.5 allows remote attackers to execute arbitrary code via a crafted inline image in a message.

7 Jul 2012
7.5
CVSS
CVE-2012-2318MEDIUM

msg.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.4 does not properly handle crafted characters, which allows remote servers to cause a denial of service (application crash) by placing these characters in a text/plain message.

3 Jul 2012
5.0
CVSS
CVE-2012-2214LOW

proxy.c in libpurple in Pidgin before 2.10.4 does not properly handle canceled SOCKS5 connection attempts, which allows user-assisted remote authenticated users to cause a denial of service (application crash) via a sequence of XMPP file-transfer requests.

3 Jul 2012
3.5
CVSS
← PrevPage 1 / 2Next →
Pidgin CVEs & Vulnerabilities — 90 Tracked