Improper Restriction of Communication Channel to Intended Endpoints

CVE-2024-26131

High

8.4/10

Summary

Element Android is an Android Matrix Client. Element Android version 1.4.3 through 1.6.10 is vulnerable to intent redirection, allowing a third-party malicious application to start any internal activity by passing some extra parameters. Possible impact includes making Element Android display an arbitrary web page, executing arbitrary JavaScript; bypassing PIN code protection; and account takeover by spawning a login screen to send credentials to an arbitrary home server. This issue is fixed in Element Android 1.6.12. There is no known workaround to mitigate the issue.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints

The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

References

Advisory Timeline

Published Feb 29, 2024

Improper Restriction of Communication Channel to Intended Endpoints

CVE-2024-26131

Summary

CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS