FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

element-web -- several vulnerabilities

Affected packages
element-web < 1.11.85

Details

VuXML ID ab4e6f65-a142-11ef-84e9-901b0e9408dc
Discovery 2024-11-12
Entry 2024-11-12

Element team reports:

Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once clicked.

[source]

A malicious homeserver can send invalid messages over federation which can prevent Element Web and Desktop from rendering single messages or the entire room containing them.

[source]

References

CVE Name CVE-2024-51749
CVE Name CVE-2024-51750
URL https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2
URL https://github.com/element-hq/element-web/security/advisories/GHSA-w36j-v56h-q9pc

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.