漏洞标题
N/A
漏洞描述信息
**争议性** 在Windows、Linux和macOS上的 Signal Desktop 6.2.0之前版本允许攻击者修改谈话附件在附件.noindex目录中的修改。客户端机制无法验证现有缓存文件的修改,导致攻击者可以在预先存在的附件中插入恶意代码或完全替换它们。威胁行为者可以将相应对话中的现有附件转发到外部组,而文件名和大小不会发生变化,从而使 malware 伪装成其他文件。注意:供应商否认这一发现相关性,因为产品旨在保护具有这种程度的本地访问的对抗性实体。
CVSS信息
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to modify conversation attachments within the attachments.noindex directory. Client mechanisms fail to validate modifications of existing cached files, resulting in an attacker's ability to insert malicious code into pre-existing attachments or replace them completely. A threat actor can forward the existing attachment in the corresponding conversation to external groups, and the name and size of the file will not change, allowing the malware to masquerade as another file. NOTE: the vendor disputes the relevance of this finding because the product is not intended to protect against adversaries with this degree of local access.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Signal Desktop 安全漏洞
漏洞描述信息
Signal Desktop是一款具有加密功能的桌面版即时聊天应用程序。 Signal Desktop 6.2.0之前版本存在安全漏洞。攻击者利用该漏洞获取attachments.noindex目录中的会话附件。
CVSS信息
N/A
漏洞类别
其他