Open Whisper Signal (aka Signal-Desktop) through 1.23.1 and the Signal Private Messenger application through 4.35.3 for Android are vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even if (for example) Latin and Cyrillic characters exist in the same domain name, and the available font has an identical representation of characters from different alphabets.
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NSignal Private Messenger
APPSignal≤ 4.35.3Signal Desktop
APPSignal≤ 1.23.1
Related vulnerabilities
The WebRTC component in the Signal Private Messenger application through 4.47.7 for Android processes videocon...
Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to modify conversation attachments...
Signal Desktop before 1.29.1 on Windows allows local users to gain privileges by creating a Trojan horse %SYST...
The Signal Private Messenger application before 4.47.7 for Android allows a caller to force a call to be answe...
Signal Private Messenger Android v4.59.0 and up and iOS v3.8.1.5 and up allows a remote non-contact to ring a ...