CVE-2022-41904

Name of the Vulnerable Software and Affected Versions Element iOS versions prior to 1.9.7

Description The issue affects the Element iOS client, which is based on MatrixSDK. Prior to version 1.9.7, events encrypted using Megolm for which trust could not be established did not get decorated accordingly, allowing a malicious homeserver to inject messages into the room without the user being alerted. This could happen even if the user has previously verified all group members.

Recommendations For versions prior to 1.9.7, update to version 1.9.7 to resolve the issue. As a temporary workaround, consider restricting access to unverified group members to minimize the risk of exploitation.