Description
A URL validation issue in WhatsApp for Android prior to v2.20.11 and WhatsApp Business for Android prior to v2.20.2 could have caused the recipient of a sticker message containing deliberately malformed data to load an image from a sender-controlled URL without user interaction.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://www.whatsapp.com/security/advisories/2020
Scores
CVSS v3
7.5
EPSS
0.0140
EPSS Percentile
69.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-20
Status
published
Products (2)
whatsapp/whatsapp
< 2.20.11
whatsapp/whatsapp_business
< 2.20.2
Published
Sep 03, 2020
Tracked Since
Feb 18, 2026