Identifier for the advisory (mandatory). Will be assigned a "DV-SA-[NO][STATE]" identifier e.g. DV-SA-00-ST.
DV-SA-36CA
Name of the affected project (mandatory)
Paperplane
Disclosure date of the advisory as an RFC 3339 date (mandatory)
2020-04-28
Single-line description of a vulnerability (mandatory)
A flaw in Event Register allows Remote Privilege Elevation
URL to a long-form description of this issue, e.g. a GitHub issue/PR, a changelog entry, or a blog post announcing the release (optional)
Pull Request #237
Optional: a Common Vulnerability Scoring System score. More information can be found on the CVSS website, https://www.first.org/cvss/.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Vulnerability aliases, e.g. CVE IDs (optional but recommended)
[ Unassigned ]
References to related vulnerabilities (optional)
[ Unassigned ]
Enter a short-form description of the vulnerability here (mandatory)
Telegram allows for messages in a channel to be edited by all of the admins. The attacker edits a message the user posted on a channel and can fully use every command and have full privileges.
The flaw was corrected by @penn5
Optional: metadata which narrows the scope of what this advisory affects
[ Unassigned ]
CPU architectures impacted by this vulnerability (optional). Only use this if the vulnerability is specific to a particular CPU architecture.
all-arch
Operating systems impacted by this vulnerability (optional)
all-os
Versions which include fixes for this vulnerability (mandatory)
master
RealAkito
commented
4 years ago
Identifier for the advisory (mandatory). Will be assigned a "DV-SA-[NO][STATE]" identifier e.g. DV-SA-00-ST. DV-SA-36CA
Name of the affected project (mandatory) Paperplane
Disclosure date of the advisory as an RFC 3339 date (mandatory) 2020-04-28
Single-line description of a vulnerability (mandatory) A flaw in Event Register allows Remote Privilege Elevation
URL to a long-form description of this issue, e.g. a GitHub issue/PR, a changelog entry, or a blog post announcing the release (optional) Pull Request #237
Optional: Categories this advisory falls under. Valid categories are: "code-execution", "crypto-failure", "denial-of-service", "file-disclosure" "format-injection", "memory-corruption", "memory-exposure", "privilege-escalation" privilege-escalation code-execution
Optional: a Common Vulnerability Scoring System score. More information can be found on the CVSS website, https://www.first.org/cvss/. CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Vulnerability aliases, e.g. CVE IDs (optional but recommended) [ Unassigned ]
References to related vulnerabilities (optional) [ Unassigned ]
Enter a short-form description of the vulnerability here (mandatory) Telegram allows for messages in a channel to be edited by all of the admins. The attacker edits a message the user posted on a channel and can fully use every command and have full privileges.
The flaw was corrected by @penn5
Optional: metadata which narrows the scope of what this advisory affects [ Unassigned ]
CPU architectures impacted by this vulnerability (optional). Only use this if the vulnerability is specific to a particular CPU architecture. all-arch
Operating systems impacted by this vulnerability (optional) all-os
Versions which include fixes for this vulnerability (mandatory) master
staging
compose
Versions which were never vulnerable (optional) [ Unassigned ]