PT-2020-13864 · Viber · Viber For Windows

Published

2020-06-22

Updated

2021-07-21

CVE-2020-14049

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Viber for Windows versions up to 13.2.0.39

Description The issue arises from Viber for Windows not properly quoting its custom URI handler, allowing a malicious website to launch Viber with arbitrary parameters. This could force a victim to send an NTLM authentication request, which could then be relayed or have its hash captured for offline password cracking.

Recommendations For versions up to 13.2.0.39, update to a version that properly quotes its custom URI handler to prevent malicious exploitation.

Exploit

Fix

Argument Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-88

Related Identifiers

CVE-2020-14049

Affected Products

Viber For Windows

PT-2020-13864 · Viber · Viber For Windows

CVE-2020-14049

Weakness Enumeration

Related Identifiers

Affected Products

References · 5