FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-7014

Improper Input Validation (CWE-20)

Published: Jul 23, 2024 / Updated: 3mo ago

010
CVSS 7.1EPSS 0.04%High
CVE info copied to clipboard

Summary

EvilVideo vulnerability allows sending malicious apps disguised as videos in Telegram for Android application affecting versions 10.14.4 and older. This vulnerability is related to improper input validation.

Impact

This vulnerability could allow attackers to distribute malicious applications disguised as video files through the Telegram for Android app. Users might unknowingly install these malicious apps, potentially leading to unauthorized access, data theft, or device compromise. The impact is significant given Telegram's large user base and the trust users place in content shared through the platform.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is likely available for this vulnerability, as it affects Telegram for Android versions 10.14.4 and older. Users should update to the latest version of the Telegram app that addresses this vulnerability.

Mitigation

1. Update Telegram for Android to the latest version (newer than 10.14.4). 2. Educate users about the risks of opening or installing any files, even those appearing as videos, from untrusted sources. 3. Implement mobile device management (MDM) solutions to ensure all company devices are running the latest, patched version of Telegram. 4. Consider using application whitelisting to prevent installation of unauthorized apps on company devices. 5. Regularly scan devices for malware and suspicious applications. 6. Monitor for any unusual activity or unauthorized app installations on devices with Telegram installed.

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-7014

Jul 23, 2024 at 10:15 AM
First Article

Feedly found the first article mentioning CVE-2024-7014. See article

Jul 23, 2024 at 10:20 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Jul 23, 2024 at 10:21 AM
Trending

This CVE started to trend in security discussions

Jul 23, 2024 at 10:40 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.4%)

Jul 24, 2024 at 9:39 AM
Trending

This CVE stopped trending in security discussions

Jul 26, 2024 at 11:54 AM
CVSS

A CVSS base score of 7.1 has been assigned.

Oct 28, 2024 at 9:05 PM / nvd
Static CVE Timeline Graph

Affected Systems

Eset
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

News

CVE-2024-7014 - Exploits & Severity - Feedly
Google Alert - inoreader OR Feedly OR "Read Less" OR PostGoo OR NewsBlur / 3mo
EvilVideo vulnerability allows sending malicious apps disguised as videos in Telegram for Android application affecting versions 10.14.4 and older. This vulnerability could allow attackers to distribute malicious applications disguised as video files through the Telegram for Android app.
CVE-2024-7014
Newest CVEs from Tenable / 3mo
High Severity Description EvilVideo vulnerability allows sending malicious apps disguised as videos in Telegram for Android application affecting versions 10.14.4 and older. Read more at https://www.tenable.com/cve/CVE-2024-7014
NA - CVE-2024-7014 - EvilVideo vulnerability allows sending...
Security-Database Alerts Monitor : Last 100 Alerts / 3mo
EvilVideo vulnerability allows sending malicious apps disguised as videos in Telegram for Android application affecting versions 10.14.4 and older.
#zeroday / 3mo
ESET Research : Cursed tapes: Exploiting the EvilVideo vulnerability on Telegram for Android Dunno who's interested but the Telegram zero-day reported by ESET and widely circulated in news reporting, has a CVE ID: CVE-2024-7014 (7,1 high, disclosed 22 July 2024 by ESET). The CVE ID isn't listed in the article, and was provided by ESET Research in external communication today. ESET researchers discovered a zero-day exploit for Telegram for Android versions 10.14.4 and older that allows sending malicious files disguised as videos. cc: @ avoidthehack @ jgreig # zeroday # CVE_2024_7014 # cve # vulnerability # telegram
CVE-2024-7014 | Telegram App up to 10.14.4 on Android Video EvilVideo input validation
VulDB Recent Entries / 3mo
A vulnerability, which was classified as critical , has been found in Telegram App up to 10.14.4 on Android. This issue affects some unknown processing of the component Video Handler . The manipulation leads to improper input validation. The identification of this vulnerability is CVE-2024-7014 . The attack may be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.
See 6 more articles and social media posts

CVSS V3.1

Unknown

Categories

CWE-20(11385)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial