Lucene search

GitHub_MCVELIST:CVE-2024-26131

HistoryFeb 20, 2024 - 6:17 p.m.

CVE-2024-26131 Element Android Intent Redirection

2024-02-2018:17:01

CWE-940

CWE-923

GitHub_M

www.cve.org

element android

intent redirection

vulnerability

mitigation

cve-2024-26131

security issue

CVSS3

8.4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.1

Confidence

High

EPSS

Percentile

15.5%

JSON

Element Android is an Android Matrix Client. Element Android version 1.4.3 through 1.6.10 is vulnerable to intent redirection, allowing a third-party malicious application to start any internal activity by passing some extra parameters. Possible impact includes making Element Android display an arbitrary web page, executing arbitrary JavaScript; bypassing PIN code protection; and account takeover by spawning a login screen to send credentials to an arbitrary home server. This issue is fixed in Element Android 1.6.12. There is no known workaround to mitigate the issue.

CNA Affected

[
  {
    "vendor": "element-hq",
    "product": "element-android",
    "versions": [
      {
        "version": ">= 1.4.3, < 1.6.12",
        "status": "affected"
      }
    ]
  }
]

References

element.io/blog/security-release-element-android-1-6-12

github.com/element-hq/element-android/commit/53734255ec270b0814946350787393dfcaa2a5a9

github.com/element-hq/element-android/security/advisories/GHSA-j6pr-fpc8-q9vm

support.google.com/faqs/answer/9267555?hl=en

CVSS3

8.4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.1

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for CVELIST:CVE-2024-26131