CVE-2024-26131

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-26131
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26131.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-26131
Aliases
  • GHSA-j6pr-fpc8-q9vm
Published
2024-02-20T18:17:01.583Z
Modified
2026-04-10T05:11:27.499557Z
Severity
  • 8.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Element Android Intent Redirection
Details

Element Android is an Android Matrix Client. Element Android version 1.4.3 through 1.6.10 is vulnerable to intent redirection, allowing a third-party malicious application to start any internal activity by passing some extra parameters. Possible impact includes making Element Android display an arbitrary web page, executing arbitrary JavaScript; bypassing PIN code protection; and account takeover by spawning a login screen to send credentials to an arbitrary home server. This issue is fixed in Element Android 1.6.12. There is no known workaround to mitigate the issue.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-923",
        "CWE-940"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26131.json"
}
References

Affected packages

Git / github.com/element-hq/element-android

Affected ranges

Type
GIT
Repo
https://github.com/element-hq/element-android
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
effdca1832d2b0ab24731e1cc8c0dc9b9380b9b4

Affected versions

v0.*
v0.1.0
v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.14.1
v0.14.2
v0.14.3
v0.15.0
v0.16.0
v0.17.0
v0.19.0
v0.2.0
v0.20.0
v0.21.0
v0.22.0
v0.3.0
v0.4.0
v0.5.0
v0.6.0
v0.6.1
v0.7.0
v0.8.0
v0.9.0
v0.9.1
v0.91.3-beta
v0.91.4-beta
v0.91.5
v1.*
v1.0.0
v1.0.1
v1.0.10
v1.0.11
v1.0.12
v1.0.13
v1.0.14
v1.0.15
v1.0.16
v1.0.17
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.1
v1.1.10
v1.1.11
v1.1.12
v1.1.13
v1.1.14
v1.1.15
v1.1.16
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.2.0
v1.2.1
v1.2.2
v1.3.0
v1.3.1
v1.3.10
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.17
v1.3.18
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.7-RC2
v1.3.8
v1.3.9
v1.4.10
v1.4.11
v1.4.12
v1.4.13
v1.4.14
v1.4.16
v1.4.18
v1.4.19
v1.4.2
v1.4.20
v1.4.22
v1.4.24
v1.4.25
v1.4.26
v1.4.27
v1.4.27-RC2
v1.4.28
v1.4.30
v1.4.31
v1.4.32
v1.4.34
v1.4.36
v1.5.0
v1.5.1
v1.5.10
v1.5.11
v1.5.12
v1.5.13
v1.5.14
v1.5.16
v1.5.18
v1.5.2
v1.5.20
v1.5.22
v1.5.24
v1.5.25
v1.5.26
v1.5.28
v1.5.30
v1.5.32
v1.5.4
v1.5.6
v1.5.7
v1.5.8
v1.6.0
v1.6.1
v1.6.10
v1.6.2
v1.6.3
v1.6.5
v1.6.6
v1.6.8

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26131.json"

Git / github.com/vector-im/element-ios

Affected ranges

Type
GIT
Repo
https://github.com/vector-im/element-ios
Events
Introduced
dcc672635677655e4280255a17acca8056164611
Fixed
6f236bab2bb3970279dc97904ecfa168a8135428
Database specific 
{
    "versions": [
        {
            "introduced": "1.4.3"
        },
        {
            "fixed": "1.6.12"
        }
    ]
}

Affected versions

v1.*
v1.4.3
v1.4.4
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.6.0
v1.6.1
v1.6.10
v1.6.11
v1.6.2
v1.6.4
v1.6.5
v1.6.6
v1.6.8
v1.6.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26131.json"