セキュリティポータルに戻る
XSS in Trezor Connect legacy versions
報告日:February 7, 2023
We were notified by Jun Kokatsu that there were XSS vulnerabilities, similar to those reported in August 2020. These vulnerabilities were present in the deprecated versions of Trezor Connect that were however still available to legacy implementations on urls https://trezor.connect.io/5, https://trezor.connect.io/6 and https://trezor.connect.io/7.
This issue posed a potential threat of a phishing attack which could gain more trust by changing content served from the trezor.io domain. The issue was fixed by removing those affected versions completely.
報告者 Jun Kokatsu
Trezor Connect
修正済みの脆弱性
コミュニティからの報告により、調査を行い、問題を解決しました。あなたのセキュリティは常に最優先です。
- Biometric Verification bypassed in Trezor Suite with external monitor2026年3月9日
- Insufficient entropy on Trezor Model One with 12/18 words2026年2月6日
- Inability to cancel certain flows on pre-production firmware2025年10月31日
- Fix side-channel in BIP-39 mnemonic processing when unlocked2025年9月24日
- Donjon's Trezor Safe 3 evaluation2024年11月12日
- Missing confirmation in the ECDHSessionKey call2023年11月26日