CVE-2024-51749 LOW

CVE-2024-51749: Element's thumbnails can be abused to misrepresent the content of an attachment

Vendor Element-Hq
Product element-web
Weakness CWE-451
Published November 12, 2024
Last update November 12, 2024

CVSS base score

3.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Element is a Matrix web client built using the Matrix React SDK. Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once clicked. Fixed in element-web 1.11.85.

Key dates

02Disclosure timeline

November 12, 2024 CVE published
November 12, 2024 Record updated