CVE-2019-9970

EUVD-2019-19324

24.03.2019, 02:29

Open Whisper Signal (aka Signal-Desktop) through 1.23.1 and the Signal Private Messenger application through 4.35.3 for Android are vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even if (for example) Latin and Cyrillic characters exist in the same domain name, and the available font has an identical representation of characters from different alphabets.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 61%

Affected Products (NVD)

Vendor	Product	Version
signal	signal-desktop	𝑥 ≤ 1.23.1

𝑥

= Vulnerable software versions

References

http://www.securityfocus.com/bid/107550

https://github.com/blazeinfosec/advisories/blob/master/signal-advisory.txt

http://www.securityfocus.com/bid/107550

https://github.com/blazeinfosec/advisories/blob/master/signal-advisory.txt