git: 82100c261bf1 - main - security/vuxml: Document element-web vulnerabilities

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Ashish SHUKLA <ashish_at_FreeBSD.org>
Date: Tue, 12 Nov 2024 22:22:46 UTC
The branch main has been updated by ashish:

URL: https://cgit.FreeBSD.org/ports/commit/?id=82100c261bf1fbf9211ab701a6f45a9ec09ef451

commit 82100c261bf1fbf9211ab701a6f45a9ec09ef451
Author:     Ashish SHUKLA <ashish@FreeBSD.org>
AuthorDate: 2024-11-12 22:17:26 +0000
Commit:     Ashish SHUKLA <ashish@FreeBSD.org>
CommitDate: 2024-11-12 22:20:17 +0000

    security/vuxml: Document element-web vulnerabilities
    
    Security:       CVE-2024-51749
    Security:       CVE-2024-51750
---
 security/vuxml/vuln/2024.xml | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
index 455cf03ece90..a7d36c690346 100644
--- a/security/vuxml/vuln/2024.xml
+++ b/security/vuxml/vuln/2024.xml
@@ -1,3 +1,40 @@
+  <vuln vid="ab4e6f65-a142-11ef-84e9-901b0e9408dc">
+    <topic>element-web -- several vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>element-web</name>
+	<range><lt>1.11.85</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Element team reports:</p>
+	<blockquote cite="https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2">
+	  <p>Versions of Element Web and Desktop earlier than 1.11.85 do
+	  not check if thumbnails for attachments, stickers and images
+	  are coherent. It is possible to add thumbnails to events
+	  trigger a file download once clicked.</p>
+	</blockquote>
+	<blockquote cite="https://github.com/element-hq/element-web/security/advisories/GHSA-w36j-v56h-q9pc">
+	  <p>A malicious homeserver can send invalid messages over
+	  federation which can prevent Element Web and Desktop from
+	  rendering single messages or the entire room containing
+	  them.</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2024-51749</cvename>
+      <cvename>CVE-2024-51750</cvename>
+      <url>https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2</url>
+      <url>https://github.com/element-hq/element-web/security/advisories/GHSA-w36j-v56h-q9pc</url>
+    </references>
+    <dates>
+      <discovery>2024-11-12</discovery>
+      <entry>2024-11-12</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="574f7bc9-a141-11ef-84e9-901b0e9408dc">
     <topic>Matrix clients -- mxc uri validation in js sdk</topic>
     <affects>