CVE-2020-15258

Name: CVE-2020-15258
Creator: NVD / NIST
Published: 2020-10-16T17:15:12.247+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8/10EPSS 2.00%

Last modified Jun 17, 2026

CVE-2020-15258 is a high-severity vulnerability rated 8/10 on the CVSS scale. In Wire before 3.20.x, `shell.openExternal` was used without checking the URL. This vulnerability allows an attacker to execute code on the victims machine by sending messages containing links with arbitrary protocols. EPSS estimates a 2.00% chance of exploitation in the next 30 days.

Description

In Wire before 3.20.x, `shell.openExternal` was used without checking the URL. This vulnerability allows an attacker to execute code on the victims machine by sending messages containing links with arbitrary protocols. The victim has to interact with the link and sees the URL that is opened. The issue was patched by implementing a helper function which checks if the URL's protocol is common. If it is common, the URL will be opened externally. If not, the URL will not be opened and a warning appears for the user informing them that a probably insecure URL was blocked from being executed. The issue is patched in Wire 3.20.x. More technical details about exploitation are available in the linked advisory.

Metrics

CVSS 3.1

8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Probability

2.00%

78.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-20

Affected Software

Vendor	Product	Versions
Wire	Wire	< 3.20.2934

References

https://benjamin-altpeter.de/shell-openexternal-dangers/Exploit, Third Party Advisory
https://github.com/wireapp/wire-desktop/commit/b3705fffa75a03f055530f55a754face5ac0623bPatch, Third Party Advisory
https://github.com/wireapp/wire-desktop/security/advisories/GHSA-5gpx-9976-ggpmExploit, Third Party Advisory
https://benjamin-altpeter.de/shell-openexternal-dangers/Exploit, Third Party Advisory
https://github.com/wireapp/wire-desktop/commit/b3705fffa75a03f055530f55a754face5ac0623bPatch, Third Party Advisory
https://github.com/wireapp/wire-desktop/security/advisories/GHSA-5gpx-9976-ggpmExploit, Third Party Advisory

Timeline

Published: Oct 16, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-15258?

How severe is CVE-2020-15258?

CVE-2020-15258 has a CVSS score of 8/10 (HIGH severity). The EPSS model estimates a 2.00% probability of exploitation in the next 30 days.

How do I fix CVE-2020-15258?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-15258?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST