CVE-2019-18426
published 2020-01-21CVE-2019-18426: A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and…
PriorityP185high8.2CVSS 3.1
AVNACLPRNUIRSCCHILAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
67.86%
99.2th percentile
A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| whatsapp_desktop | — | — | |
| whatsapp_desktop | >= unspecified < 0.3.9309 | 0.3.9309 | |
| < 0.3.9309 | 0.3.9309 | ||
| < 2.20.10 | 2.20.10 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect WhatsApp Desktop messages containing a link preview with a javascript: URI scheme payload, specifically the pattern `javascript:"https://...`;eval(atob(...))` which is the exploit delivery vector. ↗
- →Monitor for WhatsApp Desktop processes making file:// scheme fetch requests to local filesystem paths (e.g., file:///C:/windows/system32/drivers/etc/hosts), which indicates successful XSS exploitation and local file read. ↗
- →The exploit is triggered when the victim clicks a link preview in a specially crafted text message; monitor for user interaction with link previews in WhatsApp Desktop versions prior to 0.3.9309. ↗
- →Look for the exploit manipulation of WhatsApp message object properties `__x_matchedText` and `__x_body` being set to javascript: URI payloads in browser devtools or memory forensics. ↗
- →The base64 string `ZmlsZTovLy9DOi93aW5kb3dzL3N5c3RlbTMyL2RyaXZlcnMvZXRjL2hvc3Rz` decodes to `file:///C:/windows/system32/drivers/etc/hosts`; flag its presence in network traffic or process memory associated with WhatsApp Desktop. ↗
- ·The vulnerability only exists when WhatsApp Desktop (prior to 0.3.9309) is paired with WhatsApp for iPhone (prior to 2.20.10); both version conditions must be met simultaneously for the attack to succeed. ↗
- ·The exploit as published targets WhatsApp Web source code compiled specifically at version 0.3.9308; the breakpoint-based injection technique is a proof-of-concept requiring local devtools access to craft the malicious message. ↗
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
vulncheck8.2HIGH
cisa8.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x67c-8vp2-26mr: A vulnerability in WhatsApp Desktop versions prior to 0
ghsa_unreviewed·2022-05-24
CVE-2019-18426 [MEDIUM] CWE-79 GHSA-x67c-8vp2-26mr: A vulnerability in WhatsApp Desktop versions prior to 0
A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.
VulnCheck
WhatsApp Cross-Site Scripting Vulnerability
vulncheck·2019·CVSS 8.2
CVE-2019-18426 [HIGH] CWE-79 WhatsApp Cross-Site Scripting Vulnerability
WhatsApp Cross-Site Scripting Vulnerability
A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading.
Affected: Meta Platforms WhatsApp
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cybersecurityworks.com/howdymanage/uploads/file/RansomwareUpdate%20Report%202022%20Q1.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/e216d19cc7af
Remediation Due: 2022-06-13
CISA
WhatsApp Cross-Site Scripting Vulnerability
cisa·2022-05-23·CVSS 8.2
CVE-2019-18426 [HIGH] CWE-79 WhatsApp Cross-Site Scripting Vulnerability
Vulnerability: WhatsApp Cross-Site Scripting Vulnerability
Affected: Meta Platforms WhatsApp
A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-18426
Remediation Due Date: 2022-06-13
No detection rules found.
http://packetstormsecurity.com/files/157097/WhatsApp-Desktop-0.3.9308-Cross-Site-Scripting.htmlhttps://www.facebook.com/security/advisories/cve-2019-18426http://packetstormsecurity.com/files/157097/WhatsApp-Desktop-0.3.9308-Cross-Site-Scripting.htmlhttps://www.facebook.com/security/advisories/cve-2019-18426https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-18426
2020-01-21
Published
2022-05-23
Added to CISA KEV
Exploited in the wild