CVE-2024-26131

CVSS v3.1

8.4

High

Vector

AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Element Android versions 1.4.3 through 1.6.10

Description The issue allows a third-party malicious application to start any internal activity by passing some extra parameters, potentially making Element Android display an arbitrary web page, executing arbitrary JavaScript, bypassing PIN code protection, and enabling account takeover by spawning a login screen to send credentials to an arbitrary home server.

Recommendations For Element Android versions 1.4.3 through 1.6.10, update to version 1.6.12 to resolve the issue. At the moment, there is no known workaround to mitigate the issue for these versions.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-923CWE-940

Related Identifiers

CVE-2024-26131

GHSA-J6PR-FPC8-Q9VM

Affected Products

Element Android

CVE-2024-26131

Weakness Enumeration

Related Identifiers

Affected Products

References · 20