Signalapp
Products
3- 7 CVEs
- 2 CVEs
- 2 CVEs
Recent CVEs
10| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-16132 | Hig | 0.56 | 8.6 | 0.01 | Aug 29, 2018 | The image rendering component (createGenericPreview) of the Open Whisper Signal app through 2.29.0 for iOS fails to check for unreasonably large images before manipulating received images. This allows for a large image sent to a user to exhaust all available memory when the… | ||
| CVE-2018-11101 | Med | 0.40 | 6.1 | 0.01 | May 17, 2018 | Open Whisper Signal (aka Signal-Desktop) through 1.10.1 allows XSS via a resource location specified in an attribute of a SCRIPT, IFRAME, or IMG element, leading to JavaScript execution after a reply, a different vulnerability than CVE-2018-10994. The attacker needs to send HTML… | ||
| CVE-2018-14023 | Med | 0.19 | 4.0 | 0.00 | Aug 20, 2018 | Open Whisper Signal (aka Signal-Desktop) before 1.15.0-beta.10 allows information leakage. | ||
| CVE-2023-24068 | 0.00 | — | 0.00 | Jan 23, 2023 | Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to modify conversation attachments within the attachments.noindex directory. Client mechanisms fail to validate modifications of existing cached files, resulting in an attacker's ability to insert… | |||
| CVE-2023-24069 | 0.00 | — | 0.01 | Jan 23, 2023 | Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to obtain potentially sensitive attachments sent in messages from the attachments.noindex directory. Cached attachments are not effectively cleared. In some cases, even after a self-initiated file… | |||
| CVE-2019-19954 | 0.00 | — | 0.00 | Dec 24, 2019 | Signal Desktop before 1.29.1 on Windows allows local users to gain privileges by creating a Trojan horse %SYSTEMDRIVE%\node_modules\.bin\wmic.exe file. | |||
| CVE-2019-9970 | 0.00 | — | 0.02 | Mar 24, 2019 | Open Whisper Signal (aka Signal-Desktop) through 1.23.1 and the Signal Private Messenger application through 4.35.3 for Android are vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even… | |||
| CVE-2018-3988 | 0.00 | — | 0.01 | Dec 10, 2018 | Signal Messenger for Android 4.24.8 may expose private information when using "disappearing messages." If a user uses the photo feature available in the "attach file" menu, then Signal will leave the picture in its own cache directory, which is available to any application on… | |||
| CVE-2018-10994 | Med | 0.00 | 6.1 | 0.01 | May 14, 2018 | js/views/message_view.js in Open Whisper Signal (aka Signal-Desktop) before 1.10.1 allows XSS via a URL. | ||
| CVE-2018-9840 | Med | 0.00 | 6.8 | 0.00 | Apr 10, 2018 | The Open Whisper Signal app before 2.23.2 for iOS allows physically proximate attackers to bypass the screen locker feature via certain rapid sequences of actions that include app opening, clicking on cancel, and using the home button. |
- risk 0.56cvss 8.6epss 0.01
The image rendering component (createGenericPreview) of the Open Whisper Signal app through 2.29.0 for iOS fails to check for unreasonably large images before manipulating received images. This allows for a large image sent to a user to exhaust all available memory when the…
- risk 0.40cvss 6.1epss 0.01
Open Whisper Signal (aka Signal-Desktop) through 1.10.1 allows XSS via a resource location specified in an attribute of a SCRIPT, IFRAME, or IMG element, leading to JavaScript execution after a reply, a different vulnerability than CVE-2018-10994. The attacker needs to send HTML…
- risk 0.19cvss 4.0epss 0.00
Open Whisper Signal (aka Signal-Desktop) before 1.15.0-beta.10 allows information leakage.
- CVE-2023-24068Jan 23, 2023risk 0.00cvss —epss 0.00
Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to modify conversation attachments within the attachments.noindex directory. Client mechanisms fail to validate modifications of existing cached files, resulting in an attacker's ability to insert…
- CVE-2023-24069Jan 23, 2023risk 0.00cvss —epss 0.01
Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to obtain potentially sensitive attachments sent in messages from the attachments.noindex directory. Cached attachments are not effectively cleared. In some cases, even after a self-initiated file…
- CVE-2019-19954Dec 24, 2019risk 0.00cvss —epss 0.00
Signal Desktop before 1.29.1 on Windows allows local users to gain privileges by creating a Trojan horse %SYSTEMDRIVE%\node_modules\.bin\wmic.exe file.
- CVE-2019-9970Mar 24, 2019risk 0.00cvss —epss 0.02
Open Whisper Signal (aka Signal-Desktop) through 1.23.1 and the Signal Private Messenger application through 4.35.3 for Android are vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even…
- CVE-2018-3988Dec 10, 2018risk 0.00cvss —epss 0.01
Signal Messenger for Android 4.24.8 may expose private information when using "disappearing messages." If a user uses the photo feature available in the "attach file" menu, then Signal will leave the picture in its own cache directory, which is available to any application on…
- risk 0.00cvss 6.1epss 0.01
js/views/message_view.js in Open Whisper Signal (aka Signal-Desktop) before 1.10.1 allows XSS via a URL.
- risk 0.00cvss 6.8epss 0.00
The Open Whisper Signal app before 2.23.2 for iOS allows physically proximate attackers to bypass the screen locker feature via certain rapid sequences of actions that include app opening, clicking on cancel, and using the home button.