CVE-2018-20436
HIGHTelegram 4.9.1 and Web 0.7.0 - Server-Side Request Forgery via URL Preview in Secret Chat
Title source: manualDescription
The "secret chat" feature in Telegram 4.9.1 for Android has a "side channel" in which Telegram servers send GET requests for URLs typed while composing a chat message, before that chat message is sent. There are also GET requests to other URLs on the same web server. This also affects one or more other Telegram products, such as Telegram Web-version 0.7.0. In addition, it can be interpreted as an SSRF issue. NOTE: a third party has reported that potentially unwanted behavior is caused by misconfiguration of the "Secret chats > Preview links" setting
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://misteralfa-hack.blogspot.com/2018/12/abusando-de-telegram-para-conseguir-una.html
Exploit, Third Party Advisory x_refsource_misc
https://misteralfa-hack.blogspot.com/2018/12/telegram-siempre-in-middle.html
Scores
CVSS v3
8.1
EPSS
0.0155
EPSS Percentile
72.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-918
Status
published
Products (2)
telegram/telegram
4.9.1
telegram/web
0.7.0
Published
Dec 24, 2018
Tracked Since
Feb 18, 2026