Zurück zum Sicherheitsportal
XSS in Trezor Connect legacy versions
Gemeldet auf February 7, 2023
We were notified by Jun Kokatsu that there were XSS vulnerabilities, similar to those reported in August 2020. These vulnerabilities were present in the deprecated versions of Trezor Connect that were however still available to legacy implementations on urls https://trezor.connect.io/5, https://trezor.connect.io/6 and https://trezor.connect.io/7.
This issue posed a potential threat of a phishing attack which could gain more trust by changing content served from the trezor.io domain. The issue was fixed by removing those affected versions completely.
Gemeldet durch Jun Kokatsu
Trezor Connect
Behobene Sicherheitslücken
Gemeldet durch Community. Untersucht. Gelöst. Weil deine Sicherheit nie optional ist.
- Inability to cancel certain flows on pre-production firmwareOctober 31, 2025
- Donjon's Trezor Safe 3 evaluationNovember 12, 2024
- Missing confirmation in the ECDHSessionKey callNovember 26, 2023
- Insufficient field size check in ProtobufJuly 12, 2021
- XSS in Trezor ConnectAugust 3, 2020
- Missing path isolation checkJuly 14, 2020