Cross-Site Scripting Vulnerability in Open Whisper Signal Desktop by Open Whisper Systems
CVE-2018-11101

6.1MEDIUM

Key Information:

Vendor: Signal
Status: Signal-desktop
Vendor: CVE Published:; 17 May 2018

What is CVE-2018-11101?

Open Whisper Signal Desktop versions up to 1.10.1 are susceptible to a Cross-Site Scripting (XSS) vulnerability that arises from improper handling of HTML messages. An attacker can exploit this flaw by sending a maliciously crafted HTML message containing SCRIPT, IFRAME, or IMG elements. When the victim replies to this message, the malicious content can trigger JavaScript execution, leading to potential risks such as unauthorized file access or data leakage. Notably, the vulnerability can also be leveraged through SMB protocol for remote resource inclusion, allowing the injection of JavaScript via IFRAME elements. This critical flaw emphasizes the need for rigorous HTML sanitization practices in messaging applications.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

http://seclists.org/fulldisclosure/2018/May/46

mailing-listx_refsource_FULLDISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 17, 2018
Vulnerability Reserved
May 14, 2018

JSON

Signal

What is CVE-2018-11101?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.