A vulnerability classified as critical has been found in Cryptocat up to 2.0.21. Affected is an unknown part. The manipulation with an unknown input leads to a privileges management vulnerability. CWE is classifying the issue as CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. This is going to have an impact on confidentiality, and integrity.

The weakness was disclosed 11/07/2012 by Mario Heiderich, Krzysztof Koktowicz and Maxim Rupp with Cure53 as confirmed blog post (Website). The advisory is shared for download at blog.crypto.cat. The public release has been coordinated in cooperation with the vendor. This vulnerability is traded as CVE-2013-2259 since 02/19/2013. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1068.

Upgrading to version 2.0.22 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Further details are available at blog.crypto.cat. The entries 9433, 9434, 9435 and 9436 are pretty similar.

Productinfo

Name

• Cryptocat

Version

• 2.0.0
• 2.0.1
• 2.0.2
• 2.0.3
• 2.0.4
• 2.0.5
• 2.0.6
• 2.0.7
• 2.0.8
• 2.0.9
• 2.0.10
• 2.0.11
• 2.0.12
• 2.0.13
• 2.0.14
• 2.0.15
• 2.0.16
• 2.0.17
• 2.0.18
• 2.0.19
• 2.0.20
• 2.0.21

License

• free

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion