CVE-2020-15502
Last modified
CVE-2020-15502 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The DuckDuckGo application through 5.58.0 for Android, and through 7.47.1.0 for iOS, sends hostnames of visited web sites within HTTPS .ico requests to servers in the duckduckgo.com domain, which might make visit data available temporarily at a Potentially Unwanted Endpoint. NOTE: the vendor has stated "the favicon service adheres to our strict privacy policy.. EPSS estimates a 1.53% chance of exploitation in the next 30 days.
Description
The DuckDuckGo application through 5.58.0 for Android, and through 7.47.1.0 for iOS, sends hostnames of visited web sites within HTTPS .ico requests to servers in the duckduckgo.com domain, which might make visit data available temporarily at a Potentially Unwanted Endpoint. NOTE: the vendor has stated "the favicon service adheres to our strict privacy policy.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Duckduckgo | Duckduckgo | <= 5.58.0 |
| Duckduckgo | Duckduckgo | <= 7.47.1.0 |
References
- https://github.com/duckduckgo/Android/issues/527Third Party Advisory
- https://news.ycombinator.com/item?id=23708166Patch, Third Party Advisory
- https://news.ycombinator.com/item?id=23711597Third Party Advisory
- https://github.com/duckduckgo/Android/issues/527Third Party Advisory
- https://news.ycombinator.com/item?id=23708166Patch, Third Party Advisory
- https://news.ycombinator.com/item?id=23711597Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-15502?
How severe is CVE-2020-15502?
How do I fix CVE-2020-15502?
Are you affected by CVE-2020-15502?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST