31 results (0.013 seconds)

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

Element is a Matrix web client built using the Matrix React SDK. A malicious homeserver can send invalid messages over federation which can prevent Element Web and Desktop from rendering single messages or the entire room containing them. This was patched in Element Web and Desktop 1.11.85. • https://github.com/element-hq/element-web/commit/231073c578d5f92b33cde7aa2b0b9c5836b2dc48 https://github.com/element-hq/element-web/security/advisories/GHSA-w36j-v56h-q9pc • CWE-248: Uncaught Exception •

CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0

Element is a Matrix web client built using the Matrix React SDK. Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once clicked. Fixed in element-web 1.11.85. • https://github.com/element-hq/element-web/commit/a00c343435d633e64de2c0548217aa611c7bbef5 https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2 • CWE-451: User Interface (UI) Misrepresentation of Critical Information •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in QuomodoSoft ElementsReady Addons for Elementor allows Stored XSS.This issue affects ElementsReady Addons for Elementor: from n/a through 6.4.3. The ElementsReady Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/element-ready-lite/wordpress-elementsready-addons-for-elementor-plugin-6-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0

Element is a Matrix web client built using the Matrix React SDK. Element Web versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified internally, involving malicious widgets, but other vectors may exist. Note that despite superficial similarity to CVE-2024-47771, this is an entirely separate vulnerability, caused by a separate piece of code included only in Element Web. Element Web and Element Desktop share most but not all, of their code and this vulnerability exists in the part of the code base which is not shared between the projects. • https://github.com/element-hq/element-web/security/advisories/GHSA-3jm3-x98c-r34x https://github.com/element-hq/element-web/commit/8d7f2b5c1301129a488d3597f3839bd74203ee62 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0

Element Desktop is a Matrix client for desktop platforms. Element Desktop versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified internally, involving malicious widgets, but other vectors may exist. Users are strongly advised to upgrade to version 1.11.81 to remediate the issue. As a workaround, avoid granting permissions to untrusted widgets. • https://github.com/element-hq/element-desktop/commit/6c78684e84ba7f460aedba6f017760e2323fdf4b https://github.com/element-hq/element-desktop/security/advisories/GHSA-963w-49j9-gxj6 https://github.com/element-hq/element-web/commit/63c8550791a0221189f495d6458fee7db601c789 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •