CVE-2021-37596

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Telegram Web K Alpha version 0.6.1. The bug arises when a user sends a document (e.g., a file) whose name contains malicious HTML/JavaScript code. The application fails to sanitize the document name before inserting it into the DOM, specifically through the doc.fileName property, which is now wrapped with RichTextProcessor.wrapEmojiText(file.name) in the fix [1]. The improper handling of document names in the chat interface and media popup leads to script execution in the context of the victim's session.

Exploitation

An attacker must have the ability to send messages in a Telegram chat (including groups or channels) and upload a file with a crafted filename containing malicious JavaScript. No user interaction is required beyond the victim viewing the chat or opening the document list; the XSS payload executes automatically when the document name is rendered in the Web K interface [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser session. This can lead to disclosure of sensitive information (e.g., chat messages, contacts), session hijacking, or execution of arbitrary actions on behalf of the victim within the Telegram Web application [1].

Mitigation

The vulnerability is fixed in commit 11d2fe01363889f20c8baa2217ed4aad445c5551, which introduces RichTextProcessor.wrapEmojiText(file.name) to sanitize the document name before rendering [1]. Users should update to a version including this commit or apply the patch manually. As of the publication date, no further official update or workaround has been documented beyond this fix.