Vulnerability Details : CVE-2019-9970
Open Whisper Signal (aka Signal-Desktop) through 1.23.1 and the Signal Private Messenger application through 4.35.3 for Android are vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even if (for example) Latin and Cyrillic characters exist in the same domain name, and the available font has an identical representation of characters from different alphabets.
Products affected by CVE-2019-9970
- cpe:2.3:a:signal:signal-desktop:*:*:*:*:*:*:*:*
- cpe:2.3:a:signal:private_messenger:*:*:*:*:*:android:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-9970
0.42%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-9970
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST |
References for CVE-2019-9970
-
https://github.com/blazeinfosec/advisories/blob/master/signal-advisory.txt
advisories/signal-advisory.txt at master · blazeinfosec/advisories · GitHubThird Party Advisory
-
http://www.securityfocus.com/bid/107550
Signal CVE-2019-9970 Homograph Domain Spoofing VulnerabilityThird Party Advisory;VDB Entry
Jump to