Cross-Site Scripting and Local File Reading Vulnerability in WhatsApp Desktop and iPhone
CVE-2019-18426
Key Information:
- Vendor
Facebook
- Status
- Vendor
- CVE Published:
- 21 January 2020
Badges
What is CVE-2019-18426?
A vulnerability exists in WhatsApp Desktop versions prior to 0.3.9309, alongside WhatsApp for iPhone versions before 2.20.10, which enables attackers to perform cross-site scripting (XSS) attacks. This vulnerability is exploited when a victim clicks on a link preview embedded in a specially crafted text message, allowing unauthorized access to local files on the user's system. Such an oversight poses risks to user privacy and data integrity, necessitating immediate attention from users to upgrade to patched versions.
CISA has reported CVE-2019-18426
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2019-18426 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply updates per vendor instructions.
Affected Version(s)
WhatsApp Desktop 0.3.9309
WhatsApp Desktop < 0.3.9309
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
58% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🦅
CISA Reported
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved