Improper restriction of communication channel to intended endpoints in Element Android

#VU88832 Improper restriction of communication channel to intended endpoints in Element Android

Published: 2024-04-19

Vulnerability identifier: #VU88832

Vulnerability risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2024-26131

CWE-ID: CWE-923

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Element Android
Mobile applications / Apps for mobile phones

Vendor: Element

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to an intent redirection. A remote attacker can use a specially crafted application and start any internal activity by passing extra parameters.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Element Android: 1.4.3 - 1.6.10

External links
http://github.com/element-hq/element-android/security/advisories/GHSA-j6pr-fpc8-q9vm
http://github.com/element-hq/element-android/commit/53734255ec270b0814946350787393dfcaa2a5a9
http://element.io/blog/security-release-element-android-1-6-12
http://support.google.com/faqs/answer/9267555?hl=en

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Element Android