CVE-2020-17448: 
Telegram Desktop vulnerability analysis and mitigation

Telegram Desktop through version 2.1.13 was discovered to contain a vulnerability (CVE-2020-17448) that allows attackers to bypass the Dangerous File Type Execution protection mechanism. The vulnerability was discovered in June 2020 and was patched in version 2.2.0 (Telegram Release). The issue specifically involves the chat window functionality where files lacking an extension could bypass security controls (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-863 (Incorrect Authorization). The security flaw allows attackers to circumvent the application's built-in protection against dangerous file types by using files without extensions (NVD).

The vulnerability could lead to the execution of malicious files on the victim's system. When successfully exploited, the attacker could bypass the application's security controls designed to protect against dangerous file execution, potentially leading to unauthorized code execution (Github Advisory).

The vulnerability was patched in Telegram Desktop version 2.2.0. Users are advised to upgrade to this version or later to protect against this security issue. Gentoo Linux users should upgrade to version 2.4.4 or later (Gentoo Advisory).

The vulnerability was reported to Telegram in June 2020, and the vendor acknowledged it in July 2020. The issue was subsequently patched, and the researcher was rewarded with a bounty for the discovery (Github Advisory).