PT-2024-32811 · Element · Element Web
Davidegirardi
·
Published
2024-10-15
·
Updated
2024-11-12
·
CVE-2024-47779
CVSS v4.0
7.0
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Element Web versions 1.11.70 through 1.11.80
Description
The issue is related to the exposure of access tokens to third parties under specially crafted conditions. At least one vector has been identified, involving malicious widgets, but other vectors may exist. Users are advised to upgrade to a newer version to remediate the issue.
Recommendations
For Element Web versions 1.11.70 through 1.11.80, upgrade to version 1.11.81 to resolve the issue.
As a temporary workaround, avoid granting permissions to untrusted widgets.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Element Web