Two data injection security issues were just fixed on Movim master in the following commit 71fcff40d70abd84f10baa252f86eba64264e841.

Movim was not verifying the origin of two kind of XML messages (called stanza) coming from the XMPP connection. This could allow some attacker to inject, in the current client session, some hazardous data. Those data are not persistent after a session reconnection.

• The roster items
• The Bookmarks 2 PEP items

The Roster items security issue was left open for many years and there is no known exploit from the team of it yet. But we strongly recommend you to patch your Movim instance by adding the following line in the lib/moxl/src/Moxl/Xec/Payload/Roster.php file on line 12.

if (current(explode('/', (string)$parent->attributes()->from)) != \App\User::me()->id) return;

The Bookmark 2 PEP item issue is very similar but was only recently introduced in master with the implementation of the Bookmark 2 feature. We simply recommend to pull master and restart you Movim instance to clear the cache and remove any unwanted data.