CVE-2018-3986

low-risk
Published 2019-01-03

An exploitable information disclosure vulnerability exists in the "Secret Chats" functionality of the Telegram Android messaging application version 4.9.0. The "Secret Chats" functionality allows a user to delete all traces of a chat, either by using a time trigger or by direct request. There is a bug in this functionality that leaves behind photos taken and shared on the secret chats, even after the chats are deleted. These photos will be stored in the device and accessible to all applications installed on the Android device.

Do I need to act?

-
0.16% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Affected Vendors

Telegram

References (4)

Broken Link http://www.securityfocus.com/bid/106295
Exploit https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0654
Broken Link http://www.securityfocus.com/bid/106295
Exploit https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0654
24
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal