Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Telegram
(Telegram)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 26 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-09-11 | CVE-2019-16248 | The "delete for" feature in Telegram before 5.11 on Android does not delete shared media files from the Telegram Images directory. In other words, there is a potentially misleading UI indication that a sender can remove a recipient's copy of a previously sent image (analogous to supported functionality in which a sender can remove a recipient's copy of a previously sent message). | Telegram | 5.5 | ||
| 2021-10-04 | CVE-2021-41861 | The Telegram application 7.5.0 through 7.8.0 for Android does not properly implement image self-destruction, a different vulnerability than CVE-2019-16248. After approximately two to four uses of the self-destruct feature, there is a misleading UI indication that an image was deleted (on both the sender and recipient sides). The images are still present in the /Storage/Emulated/0/Telegram/Telegram Image/ directory. | Telegram | 3.3 | ||
| 2021-02-12 | CVE-2021-27204 | Telegram before 7.4 (212543) Stable on macOS stores the local passcode in cleartext, leading to information disclosure. | Telegram | 5.5 | ||
| 2021-02-12 | CVE-2021-27205 | Telegram before 7.4 (212543) Stable on macOS stores the local copy of self-destructed messages in a sandbox path, leading to sensitive information disclosure. | Telegram | 5.5 | ||
| 2019-03-25 | CVE-2019-10044 | Telegram Desktop before 1.5.12 on Windows, and the Telegram applications for Android, iOS, and Linux, is vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even if (for example) Latin and Cyrillic characters exist in the same domain name, and the available font has an identical representation of characters from different alphabets. | Telegram, Telegram_desktop | 8.8 | ||
| 2019-08-23 | CVE-2019-15514 | The Privacy > Phone Number feature in the Telegram app 5.10 for Android and iOS provides an incorrect indication that the access level is Nobody, because attackers can find these numbers via the Group Info feature, e.g., by adding a significant fraction of a region's assigned phone numbers. | Telegram | 5.3 | ||
| 2020-03-24 | CVE-2020-10570 | The Telegram application through 5.12 for Android, when Show Popup is enabled, might allow physically proximate attackers to bypass intended restrictions on message reading and message replying. This might be interpreted as a bypass of the passcode feature. | Telegram | 6.1 | ||
| 2020-05-01 | CVE-2020-12474 | Telegram Desktop through 2.0.1, Telegram through 6.0.1 for Android, and Telegram through 6.0.1 for iOS allow an IDN Homograph attack via Punycode in a public URL or a group chat invitation URL. | Telegram, Telegram_desktop | 6.5 | ||
| 2021-05-18 | CVE-2021-31315 | Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Stack Based Overflow in the blit function of their custom fork of the rlottie library. A remote attacker might be able to access Telegram's stack memory out-of-bounds on a victim device via a malicious animated sticker. | Telegram | 5.5 | ||
| 2021-05-18 | CVE-2021-31317 | Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Type Confusion in the VDasher constructor of their custom fork of the rlottie library. A remote attacker might be able to access Telegram's heap memory out-of-bounds on a victim device via a malicious animated sticker. | Telegram | 5.5 |