Search criteria
22 vulnerabilities by element-hq
CVE-2025-62425 (GCVE-0-2025-62425)
Vulnerability from cvelistv5 – Published: 2025-10-16 18:44 – Updated: 2025-10-16 19:34
VLAI?
Summary
MAS (Matrix Authentication Service) is a user management and authentication service for Matrix homeservers, written and maintained by Element. A logic flaw in matrix-authentication-service 0.20.0 through 1.4.0 allows an attacker with access to an authenticated MAS session to perform sensitive operations without entering the current password. These include changing the current password, adding or removing an e-mail address and deactivating the account. The vulnerability only affects instances which have the local password database feature enabled (passwords section in the config). Patched in matrix-authentication-service 1.4.1.
Severity ?
8.3 (High)
CWE
- CWE-620 - Unverified Password Change
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | matrix-authentication-service |
Affected:
>= 0.20.0, <= 1.4.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T19:34:02.667856Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T19:34:11.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "matrix-authentication-service",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.20.0, \u003c= 1.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MAS (Matrix Authentication Service) is a user management and authentication service for Matrix homeservers, written and maintained by Element. A logic flaw in matrix-authentication-service 0.20.0 through 1.4.0 allows an attacker with access to an authenticated MAS session to perform sensitive operations without entering the current password. These include changing the current password, adding or removing an e-mail address and deactivating the account. The vulnerability only affects instances which have the local password database feature enabled (passwords section in the config). Patched in matrix-authentication-service 1.4.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-620",
"description": "CWE-620: Unverified Password Change",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:44:02.616Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/matrix-authentication-service/security/advisories/GHSA-6wfp-jq3r-j9xh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/matrix-authentication-service/security/advisories/GHSA-6wfp-jq3r-j9xh"
},
{
"name": "https://github.com/element-hq/matrix-authentication-service/commit/bce99edb6177be11f8f38c1d01f5606ce7b4b2e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/matrix-authentication-service/commit/bce99edb6177be11f8f38c1d01f5606ce7b4b2e5"
}
],
"source": {
"advisory": "GHSA-6wfp-jq3r-j9xh",
"discovery": "UNKNOWN"
},
"title": "Matrix Authentication Service account password can be changed using an authenticated session without supplying the current password"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62425",
"datePublished": "2025-10-16T18:44:02.616Z",
"dateReserved": "2025-10-13T16:26:12.180Z",
"dateUpdated": "2025-10-16T19:34:11.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61672 (GCVE-0-2025-61672)
Vulnerability from cvelistv5 – Published: 2025-10-08 14:55 – Updated: 2025-10-15 16:11
VLAI?
Summary
Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.
Severity ?
CWE
- CWE-1287 - Improper Validation of Specified Type of Input
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.138.3
Affected: = 1.139.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61672",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T16:10:58.297046Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T16:11:07.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.138.3"
},
{
"status": "affected",
"version": "= 1.139.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T14:55:06.378Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr"
},
{
"name": "https://github.com/element-hq/synapse/pull/17097",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/pull/17097"
},
{
"name": "https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1"
},
{
"name": "https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740"
},
{
"name": "https://github.com/element-hq/synapse/releases/tag/v1.138.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/releases/tag/v1.138.3"
},
{
"name": "https://github.com/element-hq/synapse/releases/tag/v1.139.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/releases/tag/v1.139.1"
}
],
"source": {
"advisory": "GHSA-fh66-fcv5-jjfr",
"discovery": "UNKNOWN"
},
"title": "Synapse: Invalid device keys degrade federation functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61672",
"datePublished": "2025-10-08T14:55:06.378Z",
"dateReserved": "2025-09-29T20:25:16.180Z",
"dateUpdated": "2025-10-15T16:11:07.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59161 (GCVE-0-2025-59161)
Vulnerability from cvelistv5 – Published: 2025-09-16 16:44 – Updated: 2025-09-16 18:26
VLAI?
Summary
Element Web is a Matrix web client built using the Matrix React SDK. Element Web and Element Desktop before version 1.11.112 have insufficient validation of room predecessor links, allowing a remote attacker to attempt to impermanently replace a room's entry in the room list with an unrelated attacker-supplied room. While the effect of this is temporary, it may still confuse users into acting on incorrect assumptions. The issue has been patched and users should upgrade to 1.11.112. A reload/refresh will fix the incorrect room list state, removing the attacker's room and restoring the original room.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-web |
Affected:
< 1.11.112
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T17:29:24.810855Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T18:26:26.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.112"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Web is a Matrix web client built using the Matrix React SDK. Element Web and Element Desktop before version 1.11.112 have insufficient validation of room predecessor links, allowing a remote attacker to attempt to impermanently replace a room\u0027s entry in the room list with an unrelated attacker-supplied room. While the effect of this is temporary, it may still confuse users into acting on incorrect assumptions. The issue has been patched and users should upgrade to 1.11.112. A reload/refresh will fix the incorrect room list state, removing the attacker\u0027s room and restoring the original room."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:44:15.660Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-m6c8-98f4-75rr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-m6c8-98f4-75rr"
},
{
"name": "https://github.com/element-hq/element-web/commit/8e9a43d70c90e6a3b110cd0a377296079e4c81f5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-web/commit/8e9a43d70c90e6a3b110cd0a377296079e4c81f5"
}
],
"source": {
"advisory": "GHSA-m6c8-98f4-75rr",
"discovery": "UNKNOWN"
},
"title": "In Element Web and Element Desktop, a malicious room can hide an unrelated room and cause it to be left when the malicious room is left"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59161",
"datePublished": "2025-09-16T16:44:15.660Z",
"dateReserved": "2025-09-09T15:23:16.327Z",
"dateUpdated": "2025-09-16T18:26:26.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27599 (GCVE-0-2025-27599)
Vulnerability from cvelistv5 – Published: 2025-04-18 15:49 – Updated: 2025-04-18 16:06
VLAI?
Summary
Element X Android is a Matrix Android Client provided by element.io. Prior to version 25.04.2, a crafted hyperlink on a webpage, or a locally installed malicious app, can force Element X up to version 25.04.1 to load a webpage with similar permissions to Element Call and automatically grant it temporary access to microphone and camera. This issue has been patched in version 25.04.2.
Severity ?
6.5 (Medium)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-x-android |
Affected:
< 25.04.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T16:05:58.191971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T16:06:04.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-x-android",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 25.04.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element X Android is a Matrix Android Client provided by element.io. Prior to version 25.04.2, a crafted hyperlink on a webpage, or a locally installed malicious app, can force Element X up to version 25.04.1 to load a webpage with similar permissions to Element Call and automatically grant it temporary access to microphone and camera. This issue has been patched in version 25.04.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-926",
"description": "CWE-926: Improper Export of Android Application Components",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T15:49:11.899Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-x-android/security/advisories/GHSA-m5px-pwq3-4p5m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-x-android/security/advisories/GHSA-m5px-pwq3-4p5m"
},
{
"name": "https://github.com/element-hq/element-x-android/commit/dc058544d7e693c04298191c1aadd5b39c9be52e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-x-android/commit/dc058544d7e693c04298191c1aadd5b39c9be52e"
},
{
"name": "https://github.com/element-hq/element-x-android/releases/tag/v25.04.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-x-android/releases/tag/v25.04.2"
}
],
"source": {
"advisory": "GHSA-m5px-pwq3-4p5m",
"discovery": "UNKNOWN"
},
"title": "Element X Android vulnerable to loading malicious web pages via received intent"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27599",
"datePublished": "2025-04-18T15:49:11.899Z",
"dateReserved": "2025-03-03T15:10:34.078Z",
"dateUpdated": "2025-04-18T16:06:04.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32026 (GCVE-0-2025-32026)
Vulnerability from cvelistv5 – Published: 2025-04-08 15:22 – Updated: 2025-04-08 20:02
VLAI?
Summary
Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media encryption keys used for an Element Call call. Version 1.11.97 fixes the problem.
Severity ?
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-web |
Affected:
>= 1.11.16, < 1.11.97
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-08T20:02:07.589546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T20:02:20.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.11.16, \u003c 1.11.97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media encryption keys used for an Element Call call. Version 1.11.97 fixes the problem."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T15:22:54.903Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-69q3-jg79-cg79",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-69q3-jg79-cg79"
}
],
"source": {
"advisory": "GHSA-69q3-jg79-cg79",
"discovery": "UNKNOWN"
},
"title": "Element Web could load a malicious instance of Element Call leaking media encryption keys"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32026",
"datePublished": "2025-04-08T15:22:54.903Z",
"dateReserved": "2025-04-01T21:57:32.956Z",
"dateUpdated": "2025-04-08T20:02:20.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31126 (GCVE-0-2025-31126)
Vulnerability from cvelistv5 – Published: 2025-04-03 17:54 – Updated: 2025-04-07 18:24
VLAI?
Summary
Element X iOS is a Matrix iOS Client provided by Element. In Element X iOS version between 1.6.13 and 25.03.7, the entity in control of the element.json well-known file is able, under certain conditions, to get access to the media encryption keys used for an Element Call call. This vulnerability is fixed in 25.03.8.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-x-ios |
Affected:
>= 1.6.13, < 25.03.8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T18:23:56.839530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T18:24:07.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-x-ios",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.6.13, \u003c 25.03.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element X iOS is a Matrix iOS Client provided by Element. In Element X iOS version between 1.6.13 and 25.03.7, the entity in control of the element.json well-known file is able, under certain conditions, to get access to the media encryption keys used for an Element Call call. This vulnerability is fixed in 25.03.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T17:54:27.901Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-x-ios/security/advisories/GHSA-69qf-p24v-rf8j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-x-ios/security/advisories/GHSA-69qf-p24v-rf8j"
},
{
"name": "https://github.com/element-hq/element-meta/issues/2441",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-meta/issues/2441"
}
],
"source": {
"advisory": "GHSA-69qf-p24v-rf8j",
"discovery": "UNKNOWN"
},
"title": "Element X iOS allows the entity in control of the well-known file to break the confidentiality of embedded Element Call"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31126",
"datePublished": "2025-04-03T17:54:27.901Z",
"dateReserved": "2025-03-26T15:04:52.626Z",
"dateUpdated": "2025-04-07T18:24:07.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31127 (GCVE-0-2025-31127)
Vulnerability from cvelistv5 – Published: 2025-04-03 17:54 – Updated: 2025-04-07 18:24
VLAI?
Summary
Element X Android is a Matrix Android Client provided by element.io. In Element X Android versions between 0.4.16 and 25.03.3, the entity in control of the element.json well-known file is able, under certain conditions, to get access to the media encryption keys used for an Element Call call. This vulnerability is fixed in 25.03.4.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-x-android |
Affected:
>= 0.4.16, < 25.03.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T18:24:36.927877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T18:24:45.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-x-android",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.4.16, \u003c 25.03.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element X Android is a Matrix Android Client provided by element.io. In Element X Android versions between 0.4.16 and 25.03.3, the entity in control of the element.json well-known file is able, under certain conditions, to get access to the media encryption keys used for an Element Call call. This vulnerability is fixed in 25.03.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T17:54:22.695Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-x-android/security/advisories/GHSA-x2g5-f28j-p7w6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-x-android/security/advisories/GHSA-x2g5-f28j-p7w6"
},
{
"name": "https://github.com/element-hq/element-meta/issues/2441",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-meta/issues/2441"
}
],
"source": {
"advisory": "GHSA-x2g5-f28j-p7w6",
"discovery": "UNKNOWN"
},
"title": "Element X Android allows the entity in control of the well-known file to break the confidentiality embedded Element Call"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31127",
"datePublished": "2025-04-03T17:54:22.695Z",
"dateReserved": "2025-03-26T15:04:52.626Z",
"dateUpdated": "2025-04-07T18:24:45.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30355 (GCVE-0-2025-30355)
Vulnerability from cvelistv5 – Published: 2025-03-27 00:59 – Updated: 2025-03-27 13:47
VLAI?
Summary
Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.
Severity ?
7.1 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.127.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30355",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T13:47:41.011255Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T13:47:50.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.127.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T00:59:27.996Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6"
},
{
"name": "https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389"
},
{
"name": "https://github.com/element-hq/synapse/releases/tag/v1.127.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/releases/tag/v1.127.1"
}
],
"source": {
"advisory": "GHSA-v56r-hwv5-mxg6",
"discovery": "UNKNOWN"
},
"title": "Synapse vulnerable to federation denial of service via malformed events"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30355",
"datePublished": "2025-03-27T00:59:27.996Z",
"dateReserved": "2025-03-21T14:12:06.270Z",
"dateUpdated": "2025-03-27T13:47:50.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27606 (GCVE-0-2025-27606)
Vulnerability from cvelistv5 – Published: 2025-03-14 16:56 – Updated: 2025-03-14 18:11
VLAI?
Summary
Element Android is an Android Matrix Client provided by Element. Element Android up to version 1.6.32 can, under certain circumstances, fail to logout the user if they input the wrong PIN more than the configured amount of times. An attacker with physical access to a device can exploit this to guess the PIN. Version 1.6.34 solves the issue.
Severity ?
5.1 (Medium)
CWE
- CWE-488 - Exposure of Data Element to Wrong Session
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-android |
Affected:
< 1.6.34
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27606",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-14T18:07:15.449909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T18:11:03.936Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-android",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.34"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Android is an Android Matrix Client provided by Element. Element Android up to version 1.6.32 can, under certain circumstances, fail to logout the user if they input the wrong PIN more than the configured amount of times. An attacker with physical access to a device can exploit this to guess the PIN. Version 1.6.34 solves the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-488",
"description": "CWE-488: Exposure of Data Element to Wrong Session",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T16:56:23.217Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-android/security/advisories/GHSA-632v-9pm3-m8ch",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-android/security/advisories/GHSA-632v-9pm3-m8ch"
},
{
"name": "https://github.com/element-hq/element-android/commit/53bd78b05de375c6e6b0b5aa794a56b4ba95984c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-android/commit/53bd78b05de375c6e6b0b5aa794a56b4ba95984c"
},
{
"name": "https://github.com/element-hq/element-android/commit/87d7fcdc8036a4db4da8c403f87c73a64a546304",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-android/commit/87d7fcdc8036a4db4da8c403f87c73a64a546304"
}
],
"source": {
"advisory": "GHSA-632v-9pm3-m8ch",
"discovery": "UNKNOWN"
},
"title": "Element Android PIN autologout bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27606",
"datePublished": "2025-03-14T16:56:23.217Z",
"dateReserved": "2025-03-03T15:10:34.079Z",
"dateUpdated": "2025-03-14T18:11:03.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37303 (GCVE-0-2024-37303)
Vulnerability from cvelistv5 – Published: 2024-12-03 17:06 – Updated: 2024-12-03 18:51
VLAI?
Summary
Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.
Severity ?
5.3 (Medium)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.106
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"lessThan": "1.106",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37303",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T18:49:29.668536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T18:51:29.590Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.106"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T17:06:02.467Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr"
},
{
"name": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916"
}
],
"source": {
"advisory": "GHSA-gjgr-7834-rhxr",
"discovery": "UNKNOWN"
},
"title": "Synapse unauthenticated writes to the media repository allow planting of problematic content"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37303",
"datePublished": "2024-12-03T17:06:02.467Z",
"dateReserved": "2024-06-05T20:10:46.497Z",
"dateUpdated": "2024-12-03T18:51:29.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37302 (GCVE-0-2024-37302)
Vulnerability from cvelistv5 – Published: 2024-12-03 17:04 – Updated: 2024-12-03 18:56
VLAI?
Summary
Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new "leaky bucket" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached.
Severity ?
7.5 (High)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.106
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"lessThan": "1.106",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37302",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T18:55:21.581964Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T18:56:17.082Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.106"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new \"leaky bucket\" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user\u0027s ability to request large amounts of data to be cached."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T17:04:15.839Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x"
}
],
"source": {
"advisory": "GHSA-4mhg-xv73-xq2x",
"discovery": "UNKNOWN"
},
"title": "Synapse denial of service through media disk space consumption"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37302",
"datePublished": "2024-12-03T17:04:15.839Z",
"dateReserved": "2024-06-05T20:10:46.497Z",
"dateUpdated": "2024-12-03T18:56:17.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52805 (GCVE-0-2024-52805)
Vulnerability from cvelistv5 – Published: 2024-12-03 17:01 – Updated: 2024-12-03 19:04
VLAI?
Summary
Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.120.1
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"lessThan": "1.120.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52805",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T19:04:05.237385Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T19:04:44.446Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.120.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T17:01:50.119Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2"
},
{
"name": "https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518"
},
{
"name": "https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609"
}
],
"source": {
"advisory": "GHSA-rfq8-j7rh-8hf2",
"discovery": "UNKNOWN"
},
"title": "Synapse allows unsupported content types to lead to memory exhaustion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52805",
"datePublished": "2024-12-03T17:01:50.119Z",
"dateReserved": "2024-11-15T17:11:13.442Z",
"dateUpdated": "2024-12-03T19:04:44.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52815 (GCVE-0-2024-52815)
Vulnerability from cvelistv5 – Published: 2024-12-03 16:58 – Updated: 2024-12-03 19:06
VLAI?
Summary
Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.120.1
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"lessThan": "1.120.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52815",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T19:05:32.860627Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T19:06:11.082Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.120.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user\u0027s /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T16:59:21.634Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h"
}
],
"source": {
"advisory": "GHSA-f3r3-h2mq-hx2h",
"discovery": "UNKNOWN"
},
"title": "Synapse allows a a malformed invite to break the invitee\u0027s `/sync`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52815",
"datePublished": "2024-12-03T16:58:30.877Z",
"dateReserved": "2024-11-15T17:11:13.444Z",
"dateUpdated": "2024-12-03T19:06:11.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53867 (GCVE-0-2024-53867)
Vulnerability from cvelistv5 – Published: 2024-12-03 16:52 – Updated: 2024-12-03 19:07
VLAI?
Summary
Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1.
Severity ?
4.3 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | synapse |
Affected:
>= 1.113.0rc1, < 1.120.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53867",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T19:07:06.315341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T19:07:19.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.113.0rc1, \u003c 1.120.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T16:52:01.596Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h"
},
{
"name": "https://github.com/matrix-org/matrix-spec-proposals/pull/4186",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/matrix-org/matrix-spec-proposals/pull/4186"
}
],
"source": {
"advisory": "GHSA-56w4-5538-8v8h",
"discovery": "UNKNOWN"
},
"title": "Synapse Matrix has a partial room state leak via Sliding Sync"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53867",
"datePublished": "2024-12-03T16:52:01.596Z",
"dateReserved": "2024-11-22T17:30:02.145Z",
"dateUpdated": "2024-12-03T19:07:19.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53863 (GCVE-0-2024-53863)
Vulnerability from cvelistv5 – Published: 2024-12-03 16:48 – Updated: 2024-12-03 19:08
VLAI?
Summary
Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1.
Severity ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.120.1
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"lessThan": "1.120.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53863",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T19:07:32.536899Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T19:08:30.218Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.120.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T16:48:29.722Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g"
}
],
"source": {
"advisory": "GHSA-vp6v-whfm-rv3g",
"discovery": "UNKNOWN"
},
"title": "Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53863",
"datePublished": "2024-12-03T16:48:29.722Z",
"dateReserved": "2024-11-22T17:30:02.145Z",
"dateUpdated": "2024-12-03T19:08:30.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51750 (GCVE-0-2024-51750)
Vulnerability from cvelistv5 – Published: 2024-11-12 16:34 – Updated: 2024-11-12 17:12
VLAI?
Summary
Element is a Matrix web client built using the Matrix React SDK. A malicious homeserver can send invalid messages over federation which can prevent Element Web and Desktop from rendering single messages or the entire room containing them. This was patched in Element Web and Desktop 1.11.85.
Severity ?
5 (Medium)
CWE
- CWE-248 - Uncaught Exception
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-web |
Affected:
< 1.11.85
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51750",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T17:12:11.203871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T17:12:21.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.85"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element is a Matrix web client built using the Matrix React SDK. A malicious homeserver can send invalid messages over federation which can prevent Element Web and Desktop from rendering single messages or the entire room containing them. This was patched in Element Web and Desktop 1.11.85."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T16:34:27.928Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-w36j-v56h-q9pc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-w36j-v56h-q9pc"
},
{
"name": "https://github.com/element-hq/element-web/commit/231073c578d5f92b33cde7aa2b0b9c5836b2dc48",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-web/commit/231073c578d5f92b33cde7aa2b0b9c5836b2dc48"
}
],
"source": {
"advisory": "GHSA-w36j-v56h-q9pc",
"discovery": "UNKNOWN"
},
"title": "Element allows a malicious homeserver can modify events leading to unrenderable events or rooms"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51750",
"datePublished": "2024-11-12T16:34:27.928Z",
"dateReserved": "2024-10-31T14:12:45.790Z",
"dateUpdated": "2024-11-12T17:12:21.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51749 (GCVE-0-2024-51749)
Vulnerability from cvelistv5 – Published: 2024-11-12 16:34 – Updated: 2024-11-12 17:14
VLAI?
Summary
Element is a Matrix web client built using the Matrix React SDK. Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once clicked. Fixed in element-web 1.11.85.
Severity ?
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-web |
Affected:
< 1.11.85
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51749",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T17:14:12.000969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T17:14:30.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.85"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element is a Matrix web client built using the Matrix React SDK. Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once clicked. Fixed in element-web 1.11.85."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T16:34:21.603Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2"
},
{
"name": "https://github.com/element-hq/element-web/commit/a00c343435d633e64de2c0548217aa611c7bbef5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-web/commit/a00c343435d633e64de2c0548217aa611c7bbef5"
}
],
"source": {
"advisory": "GHSA-5486-384g-mcx2",
"discovery": "UNKNOWN"
},
"title": "Element\u0027s thumbnails can be abused to misrepresent the content of an attachment"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51749",
"datePublished": "2024-11-12T16:34:21.603Z",
"dateReserved": "2024-10-31T14:12:45.790Z",
"dateUpdated": "2024-11-12T17:14:30.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47779 (GCVE-0-2024-47779)
Vulnerability from cvelistv5 – Published: 2024-10-15 15:28 – Updated: 2024-11-12 16:07
VLAI?
Summary
Element is a Matrix web client built using the Matrix React SDK. Element Web versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified internally, involving malicious widgets, but other vectors may exist. Note that despite superficial similarity to CVE-2024-47771, this is an entirely separate vulnerability, caused by a separate piece of code included only in Element Web. Element Web and Element Desktop share most but not all, of their code and this vulnerability exists in the part of the code base which is not shared between the projects. Users are strongly advised to upgrade to version 1.11.81 to remediate the issue. As a workaround, avoid granting permissions to untrusted widgets.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-web |
Affected:
>= 1.11.70, < 1.11.81
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47779",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:44:14.817960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:44:32.771Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.11.70, \u003c 1.11.81"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element is a Matrix web client built using the Matrix React SDK. Element Web versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified internally, involving malicious widgets, but other vectors may exist. Note that despite superficial similarity to CVE-2024-47771, this is an entirely separate vulnerability, caused by a separate piece of code included only in Element Web. Element Web and Element Desktop share most but not all, of their code and this vulnerability exists in the part of the code base which is not shared between the projects. Users are strongly advised to upgrade to version 1.11.81 to remediate the issue. As a workaround, avoid granting permissions to untrusted widgets."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T16:07:45.332Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-3jm3-x98c-r34x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-3jm3-x98c-r34x"
},
{
"name": "https://github.com/element-hq/element-web/commit/8d7f2b5c1301129a488d3597f3839bd74203ee62",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-web/commit/8d7f2b5c1301129a488d3597f3839bd74203ee62"
}
],
"source": {
"advisory": "GHSA-3jm3-x98c-r34x",
"discovery": "UNKNOWN"
},
"title": "Element Web vulnerable to potential exposure of access token via authenticated media"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47779",
"datePublished": "2024-10-15T15:28:00.293Z",
"dateReserved": "2024-09-30T21:28:53.236Z",
"dateUpdated": "2024-11-12T16:07:45.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47771 (GCVE-0-2024-47771)
Vulnerability from cvelistv5 – Published: 2024-10-15 15:02 – Updated: 2024-10-15 17:28
VLAI?
Summary
Element Desktop is a Matrix client for desktop platforms. Element Desktop versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified internally, involving malicious widgets, but other vectors may exist. Users are strongly advised to upgrade to version 1.11.81 to remediate the issue. As a workaround, avoid granting permissions to untrusted widgets.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-desktop |
Affected:
>= 1.11.70, < 1.11.81
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47771",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:28:06.802324Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T17:28:19.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-desktop",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.11.70, \u003c 1.11.81"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Desktop is a Matrix client for desktop platforms. Element Desktop versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified internally, involving malicious widgets, but other vectors may exist. Users are strongly advised to upgrade to version 1.11.81 to remediate the issue. As a workaround, avoid granting permissions to untrusted widgets."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:26:32.230Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-desktop/security/advisories/GHSA-963w-49j9-gxj6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-desktop/security/advisories/GHSA-963w-49j9-gxj6"
},
{
"name": "https://github.com/element-hq/element-desktop/commit/6c78684e84ba7f460aedba6f017760e2323fdf4b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-desktop/commit/6c78684e84ba7f460aedba6f017760e2323fdf4b"
},
{
"name": "https://github.com/element-hq/element-web/commit/63c8550791a0221189f495d6458fee7db601c789",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-web/commit/63c8550791a0221189f495d6458fee7db601c789"
}
],
"source": {
"advisory": "GHSA-963w-49j9-gxj6",
"discovery": "UNKNOWN"
},
"title": "Element Desktop vulnerable to potential exposure of access token via authenticated media"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47771",
"datePublished": "2024-10-15T15:02:54.059Z",
"dateReserved": "2024-09-30T21:28:53.233Z",
"dateUpdated": "2024-10-15T17:28:19.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31208 (GCVE-0-2024-31208)
Vulnerability from cvelistv5 – Published: 2024-04-23 17:26 – Updated: 2025-02-13 17:47
VLAI?
Summary
Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API.
Severity ?
6.5 (Medium)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.105.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31208",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-23T19:13:09.531555Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T18:42:58.878Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.624Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v"
},
{
"name": "https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a"
},
{
"name": "https://github.com/element-hq/synapse/releases/tag/v1.105.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/element-hq/synapse/releases/tag/v1.105.1"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.105.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T02:06:09.197Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v"
},
{
"name": "https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a"
},
{
"name": "https://github.com/element-hq/synapse/releases/tag/v1.105.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/releases/tag/v1.105.1"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET/"
}
],
"source": {
"advisory": "GHSA-3h7q-rfh9-xm4v",
"discovery": "UNKNOWN"
},
"title": "Synapse\u0027s V2 state resolution weakness allows DoS from remote room members"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31208",
"datePublished": "2024-04-23T17:26:39.171Z",
"dateReserved": "2024-03-29T14:16:31.900Z",
"dateUpdated": "2025-02-13T17:47:51.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26132 (GCVE-0-2024-26132)
Vulnerability from cvelistv5 – Published: 2024-02-20 18:30 – Updated: 2024-08-01 23:59
VLAI?
Summary
Element Android is an Android Matrix Client. A third-party malicious application installed on the same phone can force Element Android, version 0.91.0 through 1.6.12, to share files stored under the `files` directory in the application's private data directory to an arbitrary room. The impact of the attack is reduced by the fact that the databases stored in this folder are encrypted. However, it contains some other potentially sensitive information, such as the FCM token. Forks of Element Android which have set `android:exported="false"` in the `AndroidManifest.xml` file for the `IncomingShareActivity` activity are not impacted. This issue is fixed in Element Android 1.6.12. There is no known workaround to mitigate the issue.
Severity ?
4 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-android |
Affected:
>= 0.91.0, < 1.6.12
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26132",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-29T20:56:17.813395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:49:36.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:59:32.399Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/element-hq/element-android/security/advisories/GHSA-8wj9-cx7h-pvm4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/element-hq/element-android/security/advisories/GHSA-8wj9-cx7h-pvm4"
},
{
"name": "https://github.com/element-hq/element-android/commit/8f9695a9a8d944cb9b92568cbd76578c51d32e07",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/element-hq/element-android/commit/8f9695a9a8d944cb9b92568cbd76578c51d32e07"
},
{
"name": "https://element.io/blog/security-release-element-android-1-6-12",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://element.io/blog/security-release-element-android-1-6-12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "element-android",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.91.0, \u003c 1.6.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Android is an Android Matrix Client. A third-party malicious application installed on the same phone can force Element Android, version 0.91.0 through 1.6.12, to share files stored under the `files` directory in the application\u0027s private data directory to an arbitrary room. The impact of the attack is reduced by the fact that the databases stored in this folder are encrypted. However, it contains some other potentially sensitive information, such as the FCM token. Forks of Element Android which have set `android:exported=\"false\"` in the `AndroidManifest.xml` file for the `IncomingShareActivity` activity are not impacted. This issue is fixed in Element Android 1.6.12. There is no known workaround to mitigate the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T18:30:26.803Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-android/security/advisories/GHSA-8wj9-cx7h-pvm4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-android/security/advisories/GHSA-8wj9-cx7h-pvm4"
},
{
"name": "https://github.com/element-hq/element-android/commit/8f9695a9a8d944cb9b92568cbd76578c51d32e07",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-android/commit/8f9695a9a8d944cb9b92568cbd76578c51d32e07"
},
{
"name": "https://element.io/blog/security-release-element-android-1-6-12",
"tags": [
"x_refsource_MISC"
],
"url": "https://element.io/blog/security-release-element-android-1-6-12"
}
],
"source": {
"advisory": "GHSA-8wj9-cx7h-pvm4",
"discovery": "UNKNOWN"
},
"title": "Element Android can be asked to share internal files."
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-26132",
"datePublished": "2024-02-20T18:30:26.803Z",
"dateReserved": "2024-02-14T17:40:03.687Z",
"dateUpdated": "2024-08-01T23:59:32.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26131 (GCVE-0-2024-26131)
Vulnerability from cvelistv5 – Published: 2024-02-20 18:17 – Updated: 2024-08-01 23:59
VLAI?
Summary
Element Android is an Android Matrix Client. Element Android version 1.4.3 through 1.6.10 is vulnerable to intent redirection, allowing a third-party malicious application to start any internal activity by passing some extra parameters. Possible impact includes making Element Android display an arbitrary web page, executing arbitrary JavaScript; bypassing PIN code protection; and account takeover by spawning a login screen to send credentials to an arbitrary home server. This issue is fixed in Element Android 1.6.12. There is no known workaround to mitigate the issue.
Severity ?
8.4 (High)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-android |
Affected:
>= 1.4.3, < 1.6.12
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26131",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-29T14:41:52.849097Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:48:14.189Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:59:32.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/element-hq/element-android/security/advisories/GHSA-j6pr-fpc8-q9vm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/element-hq/element-android/security/advisories/GHSA-j6pr-fpc8-q9vm"
},
{
"name": "https://github.com/element-hq/element-android/commit/53734255ec270b0814946350787393dfcaa2a5a9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/element-hq/element-android/commit/53734255ec270b0814946350787393dfcaa2a5a9"
},
{
"name": "https://element.io/blog/security-release-element-android-1-6-12",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://element.io/blog/security-release-element-android-1-6-12"
},
{
"name": "https://support.google.com/faqs/answer/9267555?hl=en",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.google.com/faqs/answer/9267555?hl=en"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "element-android",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.4.3, \u003c 1.6.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Android is an Android Matrix Client. Element Android version 1.4.3 through 1.6.10 is vulnerable to intent redirection, allowing a third-party malicious application to start any internal activity by passing some extra parameters. Possible impact includes making Element Android display an arbitrary web page, executing arbitrary JavaScript; bypassing PIN code protection; and account takeover by spawning a login screen to send credentials to an arbitrary home server. This issue is fixed in Element Android 1.6.12. There is no known workaround to mitigate the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-923",
"description": "CWE-923: Improper Restriction of Communication Channel to Intended Endpoints",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-940",
"description": "CWE-940: Improper Verification of Source of a Communication Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T18:17:01.583Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-android/security/advisories/GHSA-j6pr-fpc8-q9vm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-android/security/advisories/GHSA-j6pr-fpc8-q9vm"
},
{
"name": "https://github.com/element-hq/element-android/commit/53734255ec270b0814946350787393dfcaa2a5a9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-android/commit/53734255ec270b0814946350787393dfcaa2a5a9"
},
{
"name": "https://element.io/blog/security-release-element-android-1-6-12",
"tags": [
"x_refsource_MISC"
],
"url": "https://element.io/blog/security-release-element-android-1-6-12"
},
{
"name": "https://support.google.com/faqs/answer/9267555?hl=en",
"tags": [
"x_refsource_MISC"
],
"url": "https://support.google.com/faqs/answer/9267555?hl=en"
}
],
"source": {
"advisory": "GHSA-j6pr-fpc8-q9vm",
"discovery": "UNKNOWN"
},
"title": "Element Android Intent Redirection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-26131",
"datePublished": "2024-02-20T18:17:01.583Z",
"dateReserved": "2024-02-14T17:40:03.687Z",
"dateUpdated": "2024-08-01T23:59:32.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}