Voltar para o portal de segurança
XSS in Trezor Connect legacy versions
Reportado em February 7, 2023
We were notified by Jun Kokatsu that there were XSS vulnerabilities, similar to those reported in August 2020. These vulnerabilities were present in the deprecated versions of Trezor Connect that were however still available to legacy implementations on urls https://trezor.connect.io/5, https://trezor.connect.io/6 and https://trezor.connect.io/7.
This issue posed a potential threat of a phishing attack which could gain more trust by changing content served from the trezor.io domain. The issue was fixed by removing those affected versions completely.
Reportado por Jun Kokatsu
Trezor Connect
Vulnerabilidades resolvidas
Reportado pela comunidade. Investigado. Resolvido. Porque sua segurança nunca é opcional.
- Inability to cancel certain flows on pre-production firmware31 de outubro de 2025
- Donjon's Trezor Safe 3 evaluation12 de novembro de 2024
- Missing confirmation in the ECDHSessionKey call26 de novembro de 2023
- Insufficient field size check in Protobuf12 de julho de 2021
- XSS in Trezor Connect3 de agosto de 2020
- Missing path isolation check14 de julho de 2020