Vulnerability Description
The "delete for" feature in Telegram before 5.11 on Android does not delete shared media files from the Telegram Images directory. In other words, there is a potentially misleading UI indication that a sender can remove a recipient's copy of a previously sent image (analogous to supported functionality in which a sender can remove a recipient's copy of a previously sent message).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Telegram | Telegram | < 5.11.0 |
References
- https://github.com/RootUp/PersonalStuff/blob/master/Telegram_Privacy.pdfThird Party Advisory
- https://www.inputzero.io/2019/09/telegram-privacy-fails-again.htmlExploitThird Party Advisory
- https://www.openwall.com/lists/oss-security/2019/09/09/2Mailing ListThird Party Advisory
- https://github.com/RootUp/PersonalStuff/blob/master/Telegram_Privacy.pdfThird Party Advisory
- https://www.inputzero.io/2019/09/telegram-privacy-fails-again.htmlExploitThird Party Advisory
- https://www.openwall.com/lists/oss-security/2019/09/09/2Mailing ListThird Party Advisory
FAQ
What is CVE-2019-16248?
CVE-2019-16248 is a vulnerability with a CVSS score of 5.5 (MEDIUM). The "delete for" feature in Telegram before 5.11 on Android does not delete shared media files from the Telegram Images directory. In other words, there is a potentially misleading UI indication that ...
How severe is CVE-2019-16248?
CVE-2019-16248 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-16248?
Check the references section above for vendor advisories and patch information. Affected products include: Telegram Telegram.