CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41904 – Element iOS is vulnerable due to missing decoration for events decrypted with untrusted Megolm sessions
https://notcve.org/view.php?id=CVE-2022-41904
Element iOS is an iOS Matrix client provided by Element. It is based on MatrixSDK. Prior to version 1.9.7, events encrypted using Megolm for which trust could not be established did not get decorated accordingly (with warning shields). Therefore a malicious homeserver could inject messages into the room without the user being alerted that the messages were not sent by a verified group member, even if the user has previously verified all group members. This issue has been patched in Element iOS 1.9.7. • https://github.com/vector-im/element-ios/releases/tag/v1.9.7 https://github.com/vector-im/element-ios/security/advisories/GHSA-fm8m-99j7-323g • CWE-357: Insufficient UI Warning of Dangerous Operations •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2022-27103
https://notcve.org/view.php?id=CVE-2022-27103
element-plus 2.0.5 is vulnerable to Cross Site Scripting (XSS) via el-table-column. element-plus versión 2.0.5, es vulnerable a un ataque de tipo Cross Site Scripting (XSS) por medio de el-table-column • https://github.com/asjdf/element-table-xss-test https://github.com/asjdf/element-table-xss-test/issues/1 https://github.com/element-plus/element-plus/issues/6514 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-24573
https://notcve.org/view.php?id=CVE-2022-24573
A stored cross-site scripting (XSS) vulnerability in the admin interface in Element-IT HTTP Commander 7.0.0 allows unauthenticated users to get admin access by injecting a malicious script in the User-Agent field. Una vulnerabilidad de tipo cross-site scripting (XSS) almacenada en la interfaz de administración en Element-IT HTTP Commander versión 7.0.0, permite a usuarios no autenticados conseguir acceso de administrador inyectando un script malicioso en el campo User-Agent • http://element-it.com https://www.element-it.com/news.aspx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23597 – Remote program execution with user interaction
https://notcve.org/view.php?id=CVE-2022-23597
Element Desktop is a Matrix client for desktop platforms with Element Web at its core. Element Desktop before 1.9.7 is vulnerable to a remote program execution bug with user interaction. The exploit is non-trivial and requires clicking on a malicious link, followed by another button click. To the best of our knowledge, the vulnerability has never been exploited in the wild. If you are using Element Desktop < 1.9.7, we recommend upgrading at your earliest convenience. • https://github.com/vector-im/element-desktop/commit/89b1e39b801655e595337708d4319ba4313feafa https://github.com/vector-im/element-desktop/security/advisories/GHSA-mjrg-9f8r-h3m7 • CWE-416: Use After Free •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-40813
https://notcve.org/view.php?id=CVE-2021-40813
A cross-site scripting (XSS) vulnerability in the "Zip content" feature in Element-IT HTTP Commander 3.1.9 allows remote authenticated users to inject arbitrary web script or HTML via filenames. Una vulnerabilidad de tipo cross-site scripting (XSS) en la función "Zip content" de Element-IT HTTP Commander versión 3.1.9, permite a usuarios remotos autenticados inyectar scripts web o HTML arbitrarios por medio de nombres de archivos • https://www.element-it.com/products.aspx https://www.exploit-db.com/exploits/50645 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •