CVE-2026-35207— dde-control-center 信任管理问题漏洞

deepinid plugin in dde-control-center is configured to skip TLS certificate verification when downloading avatar from remote server

dde-control-center is the control panel of DDE, the Deepin Desktop Environment. plugin-deepinid is a plugin in dde-control-center, which provides the deepinid cloud service. Prior to 6.1.80, plugin-deepinid is configured to skip TLS certificate verification when fetching the user's avatar from openapi.deepin.com or other providers. An MITM attacker could intercept the traffic, replace the avatar with a malicious or misleading image, and potentially identify the user by the avatar. This vulnerability is fixed in dde-control-center 6.1.80 and 5.9.9.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

证书验证不恰当

dde-control-center 信任管理问题漏洞

dde-control-center是Wuhan deepin Technology Co.,Ltd.开源的一个深度桌面环境的控制中心。 dde-control-center 6.1.80之前版本存在信任管理问题漏洞，该漏洞源于plugin-deepinid插件在获取用户头像时跳过TLS证书验证，可能导致中间人攻击者替换头像或识别用户。

N/A

N/A