Pidgin Security Advisories

This page lists all potential security vulnerabilities discovered since August 1st, 2004 in Pidgin (or Gaim), Finch, libpurple, or any official plugins included with those programs.

Title	CVE Name	Date	Fixed In
Out-of-bounds write when stripping xml	CVE 2017-2640	2017-03-09	2.12.0
Pidgin MXIT Suggested Contacts Memory Disclosure Vulnerability	CVE 2016-2375	2016-06-21	2.11.0
Pidgin MXIT MultiMX Message Code Execution Vulnerability	CVE 2016-2374	2016-06-21	2.11.0
Pidgin MXIT Contact Mood Denial of Service Vulnerability	CVE 2016-2373	2016-06-21	2.11.0
Pidgin MXIT File Transfer Length Memory Disclosure Vulnerability	CVE 2016-2372	2016-06-21	2.11.0
Pidgin MXIT Extended Profiles Code Execution Vulnerability	CVE 2016-2371	2016-06-21	2.11.0
Pidgin MXIT Custom Resource Denial of Service Vulnerability	CVE 2016-2370	2016-06-21	2.11.0
Pidgin MXIT CP_SOCK_REC_TERM Denial of Service Vulnerability	CVE 2016-2369	2016-06-21	2.11.0
Pidgin MXIT g_snprintf Multiple Buffer Overflow Vulnerabilities	CVE 2016-2368	2016-06-21	2.11.0
Pidgin MXIT Avatar Length Memory Disclosure Vulnerability	CVE 2016-2367	2016-06-21	2.11.0
Pidgin MXIT Table Command Denial of Service Vulnerability	CVE 2016-2366	2016-06-21	2.11.0
Pidgin MXIT Markup Command Denial of Service Vulnerability	CVE 2016-2365	2016-06-21	2.11.0
Pidgin MXIT Splash Image Arbitrary File Overwrite Vulnerability	CVE 2016-4323	2016-06-21	2.11.0
Pidgin MXIT mxit_convert_markup_tx Information Leak Vulnerability	CVE 2016-2380	2016-06-21	2.11.0
	CVE 2016-2379	2016-06-21
Pidgin MXIT get_utf8_string Code Execution Vulnerability	CVE 2016-2378	2016-06-21	2.11.0
Pidgin MXIT HTTP Content-Length Buffer Overflow Vulnerability	CVE 2016-2377	2016-06-21	2.11.0
Pidgin MXIT read stage 0x3 Code Execution Vulnerability	CVE 2016-2376	2016-06-21	2.11.0
X.509 Certificates Improperly Imported	CVE-2016-1000030	2016-06-21	2.11.0
Potential information leak from XMPP	CVE-2014-3698	2014-10-22	2.10.10
Malicious smiley themes could alter arbitrary files	CVE-2014-3697	2014-10-22	2.10.10
Remote crash parsing malformed Groupwise message	CVE-2014-3696	2014-10-22	2.10.10
Remote crash parsing malformed MXit emoticon	CVE-2014-3695	2014-10-22	2.10.10
Insufficient SSL certificate validation	CVE-2014-3694	2014-10-22	2.10.10
Remotely triggerable crash in IRC argument parsing	CVE-2014-0020	2014-01-28	2.10.8
Buffer overflow in SIMPLE header parsing	CVE-2013-6490	2014-01-28	2.10.8
Buffer overflow in MXit emoticon parsing	CVE-2013-6489	2014-01-28	2.10.8
Buffer overflow in Gadu-Gadu HTTP parsing	CVE-2013-6487	2014-01-28	2.10.8
Pidgin uses clickable links to untrusted executables	CVE-2013-6486	2014-01-28	2.10.8
Buffer overflow parsing chunked HTTP responses	CVE-2013-6485	2014-01-28	2.10.8
Crash reading response from STUN server	CVE-2013-6484	2014-01-28	2.10.8
XMPP doesn't verify 'from' on some iq replies	CVE-2013-6483	2014-01-28	2.10.8
NULL pointer dereference parsing SOAP data in MSN	CVE-2013-6482	2014-01-28	2.10.8
NULL pointer dereference parsing OIM data in MSN	CVE-2013-6482	2014-01-28	2.10.8
NULL pointer dereference parsing headers in MSN	CVE-2013-6482	2014-01-28	2.10.8
Remote crash reading Yahoo! P2P message	CVE-2013-6481	2014-01-28	2.10.8
Remote crash parsing HTTP responses	CVE-2013-6479	2014-01-28	2.10.8
Crash when hovering pointer over a long URL	CVE-2013-6478	2014-01-28	2.10.8
Crash handling bad XMPP timestamp	CVE-2013-6477	2014-01-28	2.10.8
Yahoo! remote crash from incorrect character encoding	CVE-2012-6152	2014-01-28	2.10.8
Windows Pidgin crash receiving some characters	N/A	2014-01-28	2.10.8
Crash when receiving a UPnP response with abnormally long values	CVE-2013-0274	2013-02-13	2.10.7
Sametime crash with long user IDs	CVE-2013-0273	2013-02-13	2.10.7
MXit buffer overflow reading data from network	CVE-2013-0272	2013-02-13	2.10.7
Remote MXit user could specify local file path	CVE-2013-0271	2013-02-13	2.10.7
MXit buffer overflow	CVE-2012-3374	2012-07-05	2.10.5
Possible MSN remote crash	CVE-2012-2318	2012-05-06	2.10.4
XMPP remote crash	CVE-2012-2214	2012-05-06	2.10.4
Possible MSN remote crash	CVE-2012-1178	2012-01-17	2.10.2
XMPP remote crash	CVE-2011-4939	2011-07-08	2.10.2
SILC remote crash	CVE-2011-4603	2011-09-29	2.10.1

Older