3 matches found
CVE-2018-11101
CVE-2018-11101 affects Signal Desktop (Open Whisper Signal) up to version 1.10.1. The vulnerability arises from incorrect handling of HTML when rendering quoted-reply messages, allowing XSS via HTML injected in a message that is later quoted/replied to. The root cause involved React dangerouslySe...
“I too like to live dangerously”, Accidentally Finding RCE in Signal Desktop via HTML Injection in Quoted Replies
Remediation TL;DR If you’re a concerned Signal user please update to the latest version of Signal Desktop fixed in version v1.11.0 which addresses all of these issues. Note that the mobile apps for Signal were not affected by this issue. Background Information If you’re an avid follower of all th...
Signal Desktop HTML Tag Injection Variant 2
Title: Signal-desktop HTML tag injection variant 2 Date Published: 2018-05-16 Last Update: 2018-05-16 CVE Name: CVE-2018-11101 Class: Code injection Remotely Exploitable: Yes Locally Exploitable: No Vendors contacted: Signal.org Vulnerability Description: Signal-desktop is the standalone desktop...