MEDIUM✓ PATCH🇬🇧 English

CVE-2019-9970

CVSS 6.5v3.0pub. 2019-03-24upd. 2024-11-21

Open Whisper Signal (aka Signal-Desktop) through 1.23.1 and the Signal Private Messenger application through 4.35.3 for Android are vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even if (for example) Latin and Cyrillic characters exist in the same domain name, and the available font has an identical representation of characters from different alphabets.

oryginał EN
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  • Signal Private Messenger

    APP
    Signal
    ≤ 4.35.3
  • Signal Desktop

    APP
    Signal
    ≤ 1.23.1
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
CWE
Referencje

Powiązane podatności

CVE-2019-17192CRITICAL9.8ten sam produkt

The WebRTC component in the Signal Private Messenger application through 4.47.7 for Android processes videocon...

CVE-2023-24068HIGH7.8ten sam produkt

Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to modify conversation attachments...

CVE-2019-19954HIGH7.3ten sam produkt

Signal Desktop before 1.29.1 on Windows allows local users to gain privileges by creating a Trojan horse %SYST...

CVE-2019-17191HIGH7.5ten sam produkt

The Signal Private Messenger application before 4.47.7 for Android allows a caller to force a call to be answe...

CVE-2020-5753MEDIUM5.3ten sam produkt

Signal Private Messenger Android v4.59.0 and up and iOS v3.8.1.5 and up allows a remote non-contact to ring a ...