WhatsApp Cross-Site Scripting Vulnerability
A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading.
A remote attacker, without authentication, can achieve full data confidentiality loss, partial data tampering. Federal agencies are required to remediate by 2022-06-13 under CISA BOD 22-01.
This is a Cross-Site Scripting (XSS) (CWE-79) vulnerability in Meta Platforms WhatsApp. A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message. Exploitation requires remote network access, low attack complexity, no authentication required, and user interaction required.
📧
Phishing link
🖼
Malicious file
🔓
Server compromised
Probably yes if any of these apply:
Active exploitation documented in the wild. Threat-research write-up: http://packetstormsecurity.com/files/157097/WhatsApp-Desktop-0.3.9308-Cross-Site-Scripting.html
Manual remediation steps
Apply the Vendor Patch
This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.
CISA required action: Apply updates per vendor instructions.
References
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References