Pidgin > About > Security > Advisories

Advisories

This page lists all potential security vulnerabilities discovered since August 1st, 2004 in Pidgin (or Gaim), Finch, libpurple, or any official plugins included with those programs.

2022-04-28

MITM when used without DNSSEC

CVE-2022-26491

2017-03-09

Out-of-bounds write when stripping xml

CVE-2017-2640

2016-06-21

Pidgin MXIT Splash Image Arbitrary File Overwrite Vulnerability

Pidgin MXIT mxit_convert_markup_tx Information Leak Vulnerability

Pidgin MXIT get_utf8_string Code Execution Vulnerability

Pidgin MXIT HTTP Content-Length Buffer Overflow Vulnerability

Pidgin MXIT read stage 0x3 Code Execution Vulnerability

Pidgin MXIT Suggested Contacts Memory Disclosure Vulnerability

Pidgin MXIT MultiMX Message Code Execution Vulnerability

Pidgin MXIT Contact Mood Denial of Service Vulnerability

Pidgin MXIT File Transfer Length Memory Disclosure Vulnerability

Pidgin MXIT Extended Profiles Code Execution Vulnerability

Pidgin MXIT Custom Resource Denial of Service Vulnerability

Pidgin MXIT CP_SOCK_REC_TERM Denial of Service Vulnerability

Pidgin MXIT g_snprintf Multiple Buffer Overflow Vulnerabilities

Pidgin MXIT Avatar Length Memory Disclosure Vulnerability

Pidgin MXIT Table Command Denial of Service Vulnerability

Pidgin MXIT Markup Command Denial of Service Vulnerability

X.509 Certificates Improperly Imported

CVE-2016-1000030

2014-10-22

Potential information leak from XMPP

CVE-2014-3698

Malicious smiley themes could alter arbitrary files

CVE-2014-3697

Remote crash parsing malformed Groupwise message

CVE-2014-3696

Remote crash parsing malformed MXit emoticon

CVE-2014-3695

Insufficient SSL certificate validation

CVE-2014-3694

2014-01-28

Remotely triggerable crash in IRC argument parsing

CVE-2014-0020

Buffer overflow in MXit emoticon parsing

CVE-2013-6489

Buffer overflow in Gadu-Gadu HTTP parsing

CVE-2013-6487

Pidgin uses clickable links to untrusted executables

CVE-2013-6486

Buffer overflow parsing chunked HTTP responses

CVE-2013-6485

Crash reading response from STUN server

CVE-2013-6484

XMPP doesn't verify 'from' on some iq replies

CVE-2013-6483

NULL pointer dereference parsing SOAP data in MSN

CVE-2013-6482

NULL pointer dereference parsing OIM data in MSN

CVE-2013-6482

NULL pointer dereference parsing headers in MSN

CVE-2013-6482

Remote crash reading Yahoo! P2P message

CVE-2013-6481

Remote crash parsing HTTP responses

CVE-2013-6479

Crash when hovering pointer over a long URL

CVE-2013-6478

Crash handling bad XMPP timestamp

CVE-2013-6477

2012-01-28

Yahoo! remote crash from incorrect character encoding

CVE-2012-6152

2011-12-10

XMPP remote crash

CVE-2011-4602

2011-10-20

AIM and ICQ remote crash

CVE-2011-4601

2011-09-29

SILC remote crash

CVE-2011-4603

SILC remote crash

CVE-2011-3594

2011-08-20

Pidgin uses clickable links to untrusted executables

CVE-2011-3185

Remote crash in MSN protocol plugin

CVE-2011-3184

Remote crash in IRC protocol plugin

CVE-2011-2943

2011-07-08

XMPP remote crash

CVE-2011-4939

2011-06-23

Remote denial of service from corrupt buddy icons

CVE-2011-2485

2011-03-10

Remote denial of service in Yahoo protocol plugin

CVE-2011-1091

2011-02-06

Cipher API information disclosure

No security advisories

2010-12-26

MSN direct connection denial of service

CVE-2010-4528

2010-10-20

Multiple remotely-triggered denials of service

CVE-2010-3711

2010-07-21

ICQ X-Status denial of service

CVE-2010-2528

2010-05-12

MSN emoticon denial of service

CVE-2010-1624

2010-02-18

Smiley denial of service

CVE-2010-0423

Finch XMPP MUC crash

CVE-2010-0420

MSN malformed SLP message crash

CVE-2010-0277

2010-01-08

MSN file download vulnerability

CVE-2010-0013

2009-10-16

ICQ and maybe AIM remote crash

CVE-2009-3615

2009-09-03

XMPP custom smiley parsing bug

CVE-2009-3085

MSN handwritten message crash

CVE-2009-3084

MSN partial SLP invite crash

CVE-2009-3083

XMPP may not enforce TLS

CVE-2009-3026

IRC crash from malicious server

CVE-2009-2703

2009-08-22

Yahoo IM parsing crash

CVE-2009-3025

2009-08-18

MSN overflow parsing SLP messages

CVE-2009-2694

2009-05-28

ICQ parser excessive memory allocation

CVE-2009-1889

2009-05-03

QQ remote DoS

CVE-2009-1374

2009-05-02

MSN malformed SLP message overflow

CVE-2009-1376

XMPP file transfer buffer overflow

CVE-2009-1373

2009-03-20

Remote DoS in multiple protocols

CVE-2009-1375

2008-07-25

NSS TLS/SSL Certificates not validated

CVE-2008-3532

2008-07-01

MSN malformed SLP message overflow

CVE-2008-2927

2008-06-25

MSN Remote file transfer filename DoS

CVE-2008-2955

2008-05-11

Remote UPnP discovery DoS

CVE-2008-2957

2007-10-24

NULL pointer dereference in parsing invalid HTML

CVE-2007-4999

2007-09-27

MSN Remote "Nudge" DoS

CVE-2007-4996

2005-08-11

Gadu-Gadu memory alignment bug

CVE-2005-2370

AIM/ICQ away message buffer overflow

CVE-2005-2103

AIM/ICQ non-UTF-8 filename crash

CVE-2004-0500

2005-06-10

MSN Remote DoS

CVE-2005-1934

Remote Yahoo! crash

CVE-2005-1269

2005-05-10

MSN Remote DoS

CVE-2005-1262

Remote crash on some protocols

CVE-2005-1261

2005-04-04

Jabber remote crash

CVE-2005-0967

2005-04-02

Remote DoS on receiving certain messages over IRC

CVE-2005-0966

Remote DoS on receiving malformed HTML

CVE-2005-0965

2005-02-24

Remote DoS on receiving malformed HTML

CVE-2005-0208

2005-02-17

Remote DoS on receiving malformed HTML

CVE-2004-0473

AIM/ICQ remote denial of service

CVE-2005-0472

2004-10-19

MSN SLP DOS (malloc error)

No security advisories

MSN File transfer DOS (malloc error)

No security advisories

MSN SLP buffer overflow

CVE-2004-0891

2004-08-26

Content-length DOS (malloc error)

No security advisories

RTF message buffer overflow

CVE-2004-0785

Local hostname resolution buffer overflow

CVE-2004-0785

URL decode buffer overflow

CVE-2004-0785

Groupware message receive integer overflow

CVE-2004-0754

2004-08-22

Smiley theme installation lack of escaping

CVE-2004-0784

MSN strncpy buffer overflow

CVE-2004-0500