- Description
- Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.
- Source
- cve-assign@fb.com
- NVD status
- Analyzed
- Products
CVSS 3.1
- Type
- Secondary
- Base score
- 4.3
- Impact score
- 1.4
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Severity
- MEDIUM
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-940
- Hype score
- Not currently trending
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:android:*:*",
"matchCriteriaId": "A9F5775D-2CBD-427C-94CD-D01C11559B06",
"versionEndIncluding": "2.26.7.10",
"versionStartIncluding": "2.25.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "9C83C05F-A88D-48B7-8DE8-5B8CBD9FC6B9",
"versionEndIncluding": "2.26.15.72",
"versionStartIncluding": "2.25.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]