Skip to content

Element Android Intent Redirection

High
dkasak published GHSA-j6pr-fpc8-q9vm Feb 20, 2024

Package

im.vector.app (Kotlin)

Affected versions

>= 1.4.3, < 1.6.12

Patched versions

1.6.12

Description

Impact

Element Android versions 1.4.3 (released on 2022-09-10) through 1.6.10 are vulnerable to intent redirection, allowing a third-party malicious application installed on the phone to start any internal activity by passing some extra parameters.

This could be exploited to make Element Android display an arbitrary web page or bypass the PIN code protection.

Patches

Fixed in Element Android 1.6.12 (commit 5373425).

Workarounds

There is no known workaround to mitigate the issue.

References

For more information:

If you have any questions or comments about this advisory, please email us at security at element.io.

Severity

High

CVE ID

CVE-2024-26131

Credits