⚠ Actively exploited

Added to CISA KEV on 2022-05-23. Federal agencies required to patch by 2022-06-13. Required action: Apply updates per vendor instructions..

CVE-2019-18426 — Cross-site Scripting in Whatsapp Desktop

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

8.2HIGHNVD

EPSS

55.3%

top 1.93%

CISA KEV

KEV

Added 2022-05-23

Due 2022-06-13

Exploit

Exploited in wild

Active exploitation observed

Affected products

Facebook Whatsapp Desktop Whatsapp

Timeline

PublishedJan 21

KEV addedMay 23

Latest updateMay 24

KEV dueJun 13

CISA Required Action: Apply updates per vendor instructions.

Description

A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.7

Affected Packages2 packages

▶CVEListV5facebook/whatsapp_desktopunspecified — 0.3.9309+1

▶NVDwhatsapp/whatsapp< 0.3.9309+1

🔴Vulnerability Details

GHSA

GHSA-x67c-8vp2-26mr: A vulnerability in WhatsApp Desktop versions prior to 0↗2022-05-24

▶

CVEList

CVE-2019-18426: A vulnerability in WhatsApp Desktop versions prior to 0↗2020-01-21

▶

VulnCheck

WhatsApp Cross-Site Scripting Vulnerability↗2019

▶

💥Exploits & PoCs

Exploit-DB

WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting↗2020-04-06

▶

📋Vendor Advisories

CISA

WhatsApp Cross-Site Scripting Vulnerability↗2022-05-23

▶