CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-15543
https://notcve.org/view.php?id=CVE-2018-15543
An issue was discovered in the org.telegram.messenger application 4.8.11 for Android. The FingerprintManager class for Biometric validation allows authentication bypass through the callback method from onAuthenticationFailed to onAuthenticationSucceeded with null, because the fingerprint API in conjunction with the Android keyGenerator class is not implemented. In other words, an attacker could authenticate with an arbitrary fingerprint. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred ** EN DISPUTA ** Se ha descubierto un problema en la versión 4.8.11 de la aplicación org.telegram.messenger para Android. La clase FingerprintManager para la validación biométrica permite la omisión de autenticación mediante el método callback desde onAuthenticationFailed a onAuthenticationSucceeded con un null. • https://gist.github.com/tanprathan/d286c0d5b02e344606287774304a1ccd • CWE-287: Improper Authentication •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-15542
https://notcve.org/view.php?id=CVE-2018-15542
An issue was discovered in the org.telegram.messenger application 4.8.11 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method's return value to true. In other words, an attacker could authenticate with an arbitrary passcode. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred ** EN DISPUTA ** Se ha descubierto un problema en la versión 4.8.11 de la aplicación org.telegram.messenger para Android. La funcionalidad Passcode permite la omisión de autenticación mediante la manipulación en tiempo de ejecución que fuerza el valor de retorno de cierto método a ser "true". • https://gist.github.com/tanprathan/18d0f692a2485acfb5693e2f6dabeb5d • CWE-287: Improper Authentication •