CVE-2024-51750 MEDIUM

CVE-2024-51750: Element allows a malicious homeserver can modify events leading to unrenderable events or rooms

Vendor Element-Hq
Product element-web
Weakness CWE-248
Published November 12, 2024
Last update November 12, 2024

CVSS base score

5.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

What the vulnerability does

01Description

Element is a Matrix web client built using the Matrix React SDK. A malicious homeserver can send invalid messages over federation which can prevent Element Web and Desktop from rendering single messages or the entire room containing them. This was patched in Element Web and Desktop 1.11.85.

Key dates

02Disclosure timeline

November 12, 2024 CVE published
November 12, 2024 Record updated