{"id":"CVE-2020-15502","details":"The DuckDuckGo application through 5.58.0 for Android, and through 7.47.1.0 for iOS, sends hostnames of visited web sites within HTTPS .ico requests to servers in the duckduckgo.com domain, which might make visit data available temporarily at a Potentially Unwanted Endpoint. NOTE: the vendor has stated \"the favicon service adheres to our strict privacy policy.","modified":"2026-04-10T04:23:01.159404Z","published":"2020-07-02T11:15:10.823Z","references":[{"type":"ADVISORY","url":"https://news.ycombinator.com/item?id=23711597"},{"type":"ADVISORY","url":"https://github.com/duckduckgo/Android/issues/527"},{"type":"ADVISORY","url":"https://github.com/duckduckgo/iOS/blob/1ae03d7221180bd6791cf6f7f06922a96335cf75/Core/AppUrls.swift#L98-L100"},{"type":"FIX","url":"https://news.ycombinator.com/item?id=23708166"},{"type":"FIX","url":"https://github.com/duckduckgo/Android/blob/e2f2d54a6b4452277467db403a3546512401b493/app/src/main/java/com/duckduckgo/app/global/UriExtension.kt#L83-L88"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/duckduckgo/android","events":[{"introduced":"0"},{"last_affected":"a2c2ffb6988466edc6c02b94afbe71f6b57d52a9"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"5.58.0"}]}},{"type":"GIT","repo":"https://github.com/duckduckgo/ios","events":[{"introduced":"0"},{"last_affected":"9a85ad48b9bfa416f037980d533a8a1ae05d15f0"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"7.47.1.0"}]}}],"versions":["0.1.0","0.10.0","0.13.0","0.14.0","0.14.1","0.15.0","0.16.0","0.17.0","0.18.0","0.19.0","0.2.0","0.20.0","0.21.0","0.22.0","0.22.1","0.22.2","0.23.0","0.24.0","0.25.0","0.26.0","0.27.0","0.28.0","0.28.1","0.29.0","0.3.0","0.30.0","0.4.0","0.5.0","0.6.0","0.7.0","0.8.0","0.9.0","4.0.0","4.0.1","4.0.10","4.0.11","4.0.2","4.0.3","4.0.4","4.0.6","4.0.7","4.0.8","4.0.9","4.1.0","4.1.1","4.1.2","4.2.0","4.3.0","4.4.0","4.4.1","4.4.2","5.0.0","5.0.1","5.0.2","5.1.0","5.10.0","5.10.1","5.10.2","5.10.3","5.10.4","5.10.5","5.10.6","5.11.0","5.11.1","5.12.0","5.12.1","5.13.0","5.14.0","5.14.1","5.15.0","5.15.1","5.16.0","5.17.0","5.17.1","5.18.0","5.18.1","5.18.2","5.19.0","5.19.1","5.2.0","5.20.0","5.21.0","5.21.1","5.21.2","5.22.0","5.22.1","5.23.0","5.24.0","5.25.0","5.26.0","5.26.1","5.27.0","5.28.0","5.28.1","5.28.2","5.28.3","5.29.0","5.3.0","5.3.1","5.30.0","5.31.0","5.31.1","5.32.0","5.32.1","5.33.0","5.34.0","5.35.0","5.35.1","5.36.0","5.36.1","5.36.2","5.36.3","5.37.0","5.37.1","5.38.0","5.38.1","5.39.0","5.4.0","5.40.0","5.40.1","5.40.2","5.40.3","5.41.0","5.42.0","5.42.1","5.43.0","5.44.0","5.44.1","5.44.2","5.45.0","5.46.0","5.47.0","5.47.1","5.47.2","5.47.3","5.47.4","5.48.0","5.49.0","5.49.1","5.5.0","5.50.0","5.52.0","5.52.1","5.52.2","5.52.3","5.52.4","5.52.5","5.52.6","5.53.0","5.53.1","5.54.0","5.55.0","5.55.1","5.56.0","5.57.1","5.58.0","5.6.0","5.6.1","5.7.0","5.7.1","5.7.2","5.7.3","5.7.4","5.7.5","5.8.0","5.9.0","5.9.1","7.0.0.880","7.0.0.881","7.0.0.882","7.0.0.885","7.0.0.886","7.0.0.887","7.0.0.888","7.0.0.889","7.0.0.890","7.0.0.891","7.0.0.892","7.0.0.893","7.0.1.893","7.0.2.893","7.0.3.894","7.0.4.895","7.0.5.896","7.1.0","7.1.0.0","7.1.0.1","7.1.0.2","7.19.0.0","7.19.1","7.2.0.0","7.2.0.1","7.2.0.2","7.20.0.0","7.21.0.0","7.21.1.0","7.22.0.0","7.23.0.0","7.24.0.0","7.24.1","7.24.2.0","7.25.0.0","7.26.0.0","7.27.0.0","7.28.0.0","7.29.0.0","7.3.0.0","7.3.0.1","7.3.0.2","7.30.0.0","7.31.0.0","7.31.1.0","7.32.0.0","7.32.1.0","7.33.0.0","7.33.1.0","7.34.0.0","7.35.0.0","7.36.0.0","7.37.0","7.38.0","7.39.0.1","7.39.1.0","7.40.0","7.41.0.0","7.41.1","7.42.0.1","7.43.0","7.43.1","7.44.0","7.45.0","7.46.0","7.46.1","7.46.2","7.46.3","7.47.0","7.47.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15502.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}