5.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-6591

GHSA ID

GHSA-mv4h-qm24-x4gh

EPSS Score

0.49836%

CWE

CWE-200

Published

5/14/2022

Updated

10/6/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-6591

CVE-2018-6591: Converse.js Exposure of Sensitive Information

Converse.js and Inverse.js through 3.3 allow remote attackers to obtain sensitive information because it is too difficult to determine whether safe publication of private data was configured or even intended. For example, users might have an expectation that chatroom bookmarks are private, but the various interacting software components do not necessarily make that happen.

(GitHub Advisory)

5.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-6591

GHSA ID

GHSA-mv4h-qm24-x4gh

EPSS Score

0.49836%

CWE

CWE-200

Published

5/14/2022

Updated

10/6/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
jcbrand/converse.js	composer	< 3.3.3	3.3.3
converse.js	npm	< 3.3.3	3.3.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper access control configuration when storing PEP bookmarks. The key vulnerable code was in src/converse-bookmarks.js where bookmarks were initialized based solely on PEP support detection, without checking for required publish-options feature support. The commit added a critical check for http://jabber.org/protocol/pubsub#publish-options support via Promise.all([getIdentity, supports(...)]), indicating the previous absence of this security check was the root cause. This allowed bookmarks to be stored with server-default access models rather than enforced privacy settings.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*onv*rs*.js *n* Inv*rs*.js t*rou** *.* *llow r*mot* *tt**k*rs to o*t*in s*nsitiv* in*orm*tion ****us* it is too *i**i*ult to **t*rmin* w**t**r s*** pu*li**tion o* priv*t* **t* w*s *on*i*ur** or *v*n int*n***. *or *x*mpl*, us*rs mi**t **v* *n *xp**t*t

Reasoning

T** vuln*r**ility st*mm** *rom improp*r ****ss *ontrol *on*i*ur*tion w**n storin* P*P *ookm*rks. T** k*y vuln*r**l* *o** w*s in `sr*/*onv*rs*-*ookm*rks.js` w**r* *ookm*rks w*r* initi*liz** **s** sol*ly on P*P support **t**tion, wit*out ****kin* *or r

5.3

Basic Information

Concerned about an active attack path?

CVE-2018-6591: Converse.js Exposure of Sensitive Information

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI