Vulnerability DatabaseCVE-2024-26131
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-26131
February 20, 2024
Element Android is an Android Matrix Client. Element Android version 1.4.3 through 1.6.10 is vulnerable to intent redirection, allowing a third-party malicious application to start any internal activity by passing some extra parameters. Possible impact includes making Element Android display an arbitrary web page, executing arbitrary JavaScript; bypassing PIN code protection; and account takeover by spawning a login screen to send credentials to an arbitrary home server. This issue is fixed in Element Android 1.6.12. There is no known workaround to mitigate the issue.
Related ResourcesĀ (4)
https://github.com/element-hq/element-android/commit/53734255ec270b0814946350787393dfcaa2a5a9
https://support.google.com/faqs/answer/9267555?hl=en
https://github.com/element-hq/element-android/security/advisories/GHSA-j6pr-fpc8-q9vm
https://element.io/blog/security-release-element-android-1-6-12
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.6
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.4
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Restriction of Communication Channel to Intended Endpoints
CWE-923
Improper Verification of Source of a Communication Channel
CWE-940
EPSS
Base Score:
0.04