Lucene search

GitHub_MVULNRICHMENT:CVE-2024-26131

HistoryFeb 20, 2024 - 6:17 p.m.

CVE-2024-26131 Element Android Intent Redirection

2024-02-2018:17:01

CWE-940

CWE-923

GitHub_M

github.com

element android

intent redirection

vulnerable version

mitigation

cve-2024-26131

CVSS3

8.4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Element Android is an Android Matrix Client. Element Android version 1.4.3 through 1.6.10 is vulnerable to intent redirection, allowing a third-party malicious application to start any internal activity by passing some extra parameters. Possible impact includes making Element Android display an arbitrary web page, executing arbitrary JavaScript; bypassing PIN code protection; and account takeover by spawning a login screen to send credentials to an arbitrary home server. This issue is fixed in Element Android 1.6.12. There is no known workaround to mitigate the issue.

References

element.io/blog/security-release-element-android-1-6-12

github.com/element-hq/element-android/commit/53734255ec270b0814946350787393dfcaa2a5a9

github.com/element-hq/element-android/security/advisories/GHSA-j6pr-fpc8-q9vm

support.google.com/faqs/answer/9267555?hl=en

CVSS3

8.4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-26131