CVE-2024-47771 HIGH

CVE-2024-47771: Element Desktop vulnerable to potential exposure of access token via authenticated media

Vendor Element-Hq
Product element-desktop
Weakness CWE-200 · Info exposure
Published October 15, 2024
Last update October 15, 2024
View on NVD All CVEs

CVSS base score

7.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Element Desktop is a Matrix client for desktop platforms. Element Desktop versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified internally, involving malicious widgets, but other vectors may exist. Users are strongly advised to upgrade to version 1.11.81 to remediate the issue. As a workaround, avoid granting permissions to untrusted widgets.

Key dates

02Disclosure timeline

October 15, 2024 CVE published
October 15, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-11295 Simple Page Access Restriction <= 1.0.29 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure CVE-2024-13796 Post Grid and Gutenberg Blocks – ComboBlocks <= 2.3.6 - Unauthenticated User Information Exposure CVE-2023-0659 BDCOM 1704-WGL Backup File param.file.tgz information disclosure CVE-2022-40629 Sensitive Information Disclosure Vulnerability in Tacitine Firewall CVE-2024-34711 GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)