Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
deepinid plugin in dde-control-center is configured to skip TLS certificate verification when downloading avatar from remote server
Vulnerability Description
dde-control-center is the control panel of DDE, the Deepin Desktop Environment. plugin-deepinid is a plugin in dde-control-center, which provides the deepinid cloud service. Prior to 6.1.80, plugin-deepinid is configured to skip TLS certificate verification when fetching the user's avatar from openapi.deepin.com or other providers. An MITM attacker could intercept the traffic, replace the avatar with a malicious or misleading image, and potentially identify the user by the avatar. This vulnerability is fixed in dde-control-center 6.1.80 and 5.9.9.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Vulnerability Type
证书验证不恰当
Vulnerability Title
dde-control-center 信任管理问题漏洞
Vulnerability Description
dde-control-center是Wuhan deepin Technology Co.,Ltd.开源的一个深度桌面环境的控制中心。 dde-control-center 6.1.80之前版本存在信任管理问题漏洞,该漏洞源于plugin-deepinid插件在获取用户头像时跳过TLS证书验证,可能导致中间人攻击者替换头像或识别用户。
CVSS Information
N/A
Vulnerability Type
N/A