Information disclosure in Telegram Desktop
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-25824 |
| CWE-ID | CWE-862 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Telegram Desktop for Windows Client/Desktop applications / Messaging software |
| Vendor | Telegram |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Missing Authorization
EUVDB-ID: #VU50073
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-25824
CWE-ID:
CWE-862 - Missing Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the application does not require passcode entry upon pushing the Export key within the Export Telegram Data wizard. The threat model is a victim who has voluntarily opened Export Wizard but is then distracted. An attacker then approaches the unattended desktop and pushes the Export key. This attacker may consequently gain access to all chat conversation and media files.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTelegram Desktop for Windows: 2.4.0 - 2.4.3
CPE2.3- cpe:2.3:a:telegram:telegram_desktop_for_windows:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:telegram:telegram_desktop_for_windows:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:telegram:telegram_desktop_for_windows:2.4.2:*:*:*:*:*:*:*
https://github.com/soheilsamanabadi/vulnerability/blob/main/Telegram-Desktop-CVE-2020-25824
https://github.com/telegramdesktop/tdesktop/releases/tag/v2.4.3
https://security.gentoo.org/glsa/202101-34
https://www.Telegram.org
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
