CVE-2018-20436 Information

Description

LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks DISPUTED LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks The \secret chat\ feature in Telegram 4.9.1 for Android has a \side channel\ in which Telegram servers send GET requests for URLs typed while composing a chat message before that chat message is sent. There are also GET requests to other URLs on the same web server. This also affects one or more other Telegram products such as Telegram Web-version 0.7.0. In addition it can be interpreted as an SSRF issue. NOTE: a third party has reported that potentially unwanted behavior is caused by misconfiguration of the \Secret chats Preview links\ setting.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://misteralfa-hack.blogspot.com/2018/12/abusando-de-telegram-para-conseguir-una.html https://misteralfa-hack.blogspot.com/2018/12/telegram-siempre-in-middle.html

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.1