Vulnerability identifier: #VU88832
Vulnerability risk: High
CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-923
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Element Android
Mobile applications /
Apps for mobile phones
Vendor: Element
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to an intent redirection. A remote attacker can use a specially crafted application and start any internal activity by passing extra parameters.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Element Android: 1.4.3 - 1.6.10
External links
http://github.com/element-hq/element-android/security/advisories/GHSA-j6pr-fpc8-q9vm
http://github.com/element-hq/element-android/commit/53734255ec270b0814946350787393dfcaa2a5a9
http://element.io/blog/security-release-element-android-1-6-12
http://support.google.com/faqs/answer/9267555?hl=en
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.