- Description
- Incomplete validation of rich response messages in WhatsApp for iOS prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device. We have not seen evidence of exploitation in the wild.
- Source
- cve-assign@fb.com
- NVD status
- Analyzed
- Products
- whatsapp, whatsapp_business
CVSS 3.1
- Type
- Secondary
- Base score
- 5.4
- Impact score
- 2.5
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
- Hype score
- Not currently trending
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:macos:*:*",
"matchCriteriaId": "05D8407F-8992-483D-A0DA-647C1291378D",
"versionEndExcluding": "2.25.23.83",
"versionStartIncluding": "2.25.8.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "332FD04C-066B-4A88-8F85-AAE1BCBE3B48",
"versionEndExcluding": "2.25.23.73",
"versionStartIncluding": "2.25.8.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:whatsapp:whatsapp_business:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "5542D196-8D14-483A-ABAB-0A85EAF6FD82",
"versionEndExcluding": "2.25.23.82",
"versionStartIncluding": "2.25.8.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]