Home > Vulnerability Database > CVE-2024-26132

Mend.io Vulnerability Database

CVE-2024-26132

Date: February 20, 2024

Element Android is an Android Matrix Client. A third-party malicious application installed on the same phone can force Element Android, version 0.91.0 through 1.6.12, to share files stored under the "files" directory in the application's private data directory to an arbitrary room. The impact of the attack is reduced by the fact that the databases stored in this folder are encrypted. However, it contains some other potentially sensitive information, such as the FCM token. Forks of Element Android which have set "android:exported="false"" in the "AndroidManifest.xml" file for the "IncomingShareActivity" activity are not impacted. This issue is fixed in Element Android 1.6.12. There is no known workaround to mitigate the issue.

Language: KOTLIN

Severity Score

4.0

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-26132

Url: https://element.io/blog/security-release-element-android-1-6-12

Url: https://github.com/element-hq/element-android/security/advisories/GHSA-8wj9-cx7h-pvm4

Url: https://github.com/element-hq/element-android/commit/8f9695a9a8d944cb9b92568cbd76578c51d32e07

Url: https://www.mend.io/vulnerability-database/CVE-2024-26132

Severity Score

4.0

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

CVSS v3.1

Base Score:	4.0
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-26132

Date: February 20, 2024

Language: KOTLIN

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?