Vulnerability Details : CVE-2020-25824
Telegram Desktop through 2.4.3 does not require passcode entry upon pushing the Export key within the Export Telegram Data wizard. The threat model is a victim who has voluntarily opened Export Wizard but is then distracted. An attacker then approaches the unattended desktop and pushes the Export key. This attacker may consequently gain access to all chat conversation and media files.
Products affected by CVE-2020-25824
- cpe:2.3:a:telegram:telegram_desktop:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-25824
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 34 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-25824
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
2.4
|
LOW | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
0.9
|
1.4
|
NIST |
CWE ids for CVE-2020-25824
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-25824
-
https://github.com/soheilsamanabadi/vulnerability/blob/main/Telegram-Desktop-CVE-2020-25824
vulnerability/Telegram-Desktop-CVE-2020-25824 at main · soheilsamanabadi/vulnerability · GitHubThird Party Advisory
-
https://github.com/telegramdesktop/tdesktop/releases/tag/v2.4.3
Release v 2.4.3 · telegramdesktop/tdesktop · GitHubRelease Notes;Third Party Advisory
-
https://www.Telegram.org
Telegram MessengerProduct
-
https://security.gentoo.org/glsa/202101-34
Telegram Desktop: Multiple vulnerabilities (GLSA 202101-34) — Gentoo securityThird Party Advisory
Jump to