git: 90a45de5e44a - main - security/vuxml: Document element-web vulnerability

From: Ashish SHUKLA <ashish_at_FreeBSD.org>
Date: Tue, 15 Oct 2024 15:03:56 UTC 
The branch main has been updated by ashish:

URL: https://cgit.FreeBSD.org/ports/commit/?id=90a45de5e44a67951c6f59beb943e169190656d9

commit 90a45de5e44a67951c6f59beb943e169190656d9
Author:     Ashish SHUKLA <ashish@FreeBSD.org>
AuthorDate: 2024-10-15 14:59:57 +0000
Commit:     Ashish SHUKLA <ashish@FreeBSD.org>
CommitDate: 2024-10-15 15:03:24 +0000

    security/vuxml: Document element-web vulnerability
---
 security/vuxml/vuln/2024.xml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
index 9ab3e4a2a34e..b6086953409e 100644
--- a/security/vuxml/vuln/2024.xml
+++ b/security/vuxml/vuln/2024.xml
@@ -1,3 +1,36 @@
+  <vuln vid="851ce3e4-8b03-11ef-84e9-901b0e9408dc">
+    <topic>element-web -- Potential exposure of access token via authenticated media</topic>
+    <affects>
+      <package>
+	<name>element-web</name>
+	<range><ge>1.11.70</ge><lt>1.11.81</lt>
+	</range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Element team reports:</p>
+	<blockquote cite="https://github.com/element-hq/element-web/security/advisories/GHSA-3jm3-x98c-r34x">
+	  <p>Element Web versions 1.11.70 through 1.11.80 contain a
+	  vulnerability which can, under specially crafted conditions,
+	  lead to the access token becoming exposed to third
+	  parties. At least one vector has been identified internally,
+	  involving malicious widgets, but other vectors may
+	  exist. Users are strongly advised to upgrade to version
+	  1.11.81 to remediate the issue.</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2024-47779</cvename>
+      <url>https://github.com/element-hq/element-web/security/advisories/GHSA-3jm3-x98c-r34x</url>
+    </references>
+    <dates>
+      <discovery>2024-10-15</discovery>
+      <entry>2024-10-15</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="64e299b6-d12b-4a7a-a94f-ab133703925a">
     <topic>vscode -- Visual Studio Code for Linux Remote Code Execution Vulnerability</topic>
     <affects>