CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2019-9970

MEDIUM
6.5
CVSS Severity Score
EPSS Score0.0030%
EPSS Percentile2.88th
Published2019年3月24日
Last Modified2024年11月21日

Vulnerability Description

Open Whisper Signal (aka Signal-Desktop) through 1.23.1 and the Signal Private Messenger application through 4.35.3 for Android are vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even if (for example) Latin and Cyrillic characters exist in the same domain name, and the available font has an identical representation of characters from different alphabets.

Affected Platforms (CPE)

📦
Signal

Private Messenger

<= 4.35.3
📦
Signal

Signal Desktop

<= 1.23.1

References & Advisories

🔗 http://www.securityfocus.com/bid/107550
🔗 https://github.com/blazeinfosec/advisories/blob/master/signal-advisory.txt
🔗 http://www.securityfocus.com/bid/107550
🔗 https://github.com/blazeinfosec/advisories/blob/master/signal-advisory.txt

相關漏洞威脅

CVE-2019-171929.8

The WebRTC component in the Signal Private Messenger application through 4.47.7 for Android processes videoconferencing RTP packet...

CVE-2019-171917.5

The Signal Private Messenger application before 4.47.7 for Android allows a caller to force a call to be answered, without callee ...

CVE-2020-57535.3

Signal Private Messenger Android v4.59.0 and up and iOS v3.8.1.5 and up allows a remote non-contact to ring a victim's Signal phon...

CVE-2018-39884.7

Signal Messenger for Android 4.24.8 may expose private information when using "disappearing messages." If a user uses the photo fe...