|Summary||XMPP doesn't verify 'from' on some iq replies|
|Discovered By||Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen|
|Fixed In Release||2.10.8|
The XMPP protocol plugin failed to ensure that iq replies came from the person they were sent to. A remote user could send a spoofed iq reply and attempt to guess the iq id. This could allow an attacker to inject fake data or trigger a null pointer dereference.
Keep track of the ‘to’ when sending an iq stanza and make sure replies for a given stanza ID come from the same address it was sent to.