XChat did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name.
Acknowledgements: Red Hat would like to thank Nicholas Bebout for reporting this issue.
This was fixed in hexchat this past November: https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02d It was originally reported in April 2013: https://github.com/hexchat/hexchat/issues/524 I'm not sure if that means it should have a 2013 CVE or a 2014 one. I am requesting one on oss-security. Also, upstream XChat is no longer in active development.
Created xchat tracking bugs for this issue: Affects: fedora-all [bug 1187322]
CVE assignment: http://seclists.org/oss-sec/2016/q2/17