Telegram WebK vulnerable to XSS via postMessage event
CVE-2024-33905

Currently unrated

Key Information:

Vendor: Telegram
Vendor: CVE Published:; 29 April 2024

What is CVE-2024-33905?

The vulnerability in Telegram WebK prior to version 2.0.0 (488) allows attackers to exploit cross-site scripting (XSS) via a specialized Mini Web App. This security flaw can be triggered using the postMessage web_app_open_link event type, enabling unauthorized access to user sessions and the potential for session hijacking. Users engaging with malicious Mini Web Apps may inadvertently expose their sensitive data, raising serious concerns about privacy and security within the platform.

References

https://github.com/morethanwords/tweb/commit/2153ea987866...

https://medium.com/%40pedbap/telegram-web-app-xss-session...

https://www.openwall.com/lists/oss-security/2024/04/28/4

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2024