CVE Vulnerability

CVE-2020-25824

Telegram Desktop through 2.4.3 does not require passcode entry upon pushing the Export key within the Export Telegram Data wizard. The threat model is a victim who has voluntarily opened Export Wizard but is then distracted. An attacker then approaches the unattended desktop and pushes the Export key. This attacker may consequently gain access to all chat conversation and media files.

2.1 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

2.4 /10

CVSS v3.0 : LOW

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 1.4

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.Telegram.org Product
https://github.com/telegramdesktop/tdesktop/releases/tag/v2.4.3 Release Notes Third Party Advisory
https://github.com/soheilsamanabadi/vulnerability/blob/main/Telegram-Desktop-CVE-2020-25824 Third Party Advisory
https://security.gentoo.org/glsa/202101-34 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:telegram:telegram_desktop:*:*:*:*:*:*:*:*
Information

Published : 2020-10-14 03:15

Updated : 2021-07-21 11:39

NVD link : CVE-2020-25824

Mitre link : CVE-2020-25824

Products Affected

Telegram

Telegram Desktop

CWE
CWE-306