Date: Tue, 12 Nov 2024 22:22:46 GMT From: Ashish SHUKLA <ashish@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 82100c261bf1 - main - security/vuxml: Document element-web vulnerabilities Message-ID: <202411122222.4ACMMkkp089583@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by ashish: URL: https://cgit.FreeBSD.org/ports/commit/?id=82100c261bf1fbf9211ab701a6f45a9ec09ef451 commit 82100c261bf1fbf9211ab701a6f45a9ec09ef451 Author: Ashish SHUKLA <ashish@FreeBSD.org> AuthorDate: 2024-11-12 22:17:26 +0000 Commit: Ashish SHUKLA <ashish@FreeBSD.org> CommitDate: 2024-11-12 22:20:17 +0000 security/vuxml: Document element-web vulnerabilities Security: CVE-2024-51749 Security: CVE-2024-51750 --- security/vuxml/vuln/2024.xml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 455cf03ece90..a7d36c690346 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,40 @@ + <vuln vid="ab4e6f65-a142-11ef-84e9-901b0e9408dc"> + <topic>element-web -- several vulnerabilities</topic> + <affects> + <package> + <name>element-web</name> + <range><lt>1.11.85</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Element team reports:</p> + <blockquote cite="https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2">; + <p>Versions of Element Web and Desktop earlier than 1.11.85 do + not check if thumbnails for attachments, stickers and images + are coherent. It is possible to add thumbnails to events + trigger a file download once clicked.</p> + </blockquote> + <blockquote cite="https://github.com/element-hq/element-web/security/advisories/GHSA-w36j-v56h-q9pc">; + <p>A malicious homeserver can send invalid messages over + federation which can prevent Element Web and Desktop from + rendering single messages or the entire room containing + them.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2024-51749</cvename> + <cvename>CVE-2024-51750</cvename> + <url>https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2</url>; + <url>https://github.com/element-hq/element-web/security/advisories/GHSA-w36j-v56h-q9pc</url>; + </references> + <dates> + <discovery>2024-11-12</discovery> + <entry>2024-11-12</entry> + </dates> + </vuln> + <vuln vid="574f7bc9-a141-11ef-84e9-901b0e9408dc"> <topic>Matrix clients -- mxc uri validation in js sdk</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202411122222.4ACMMkkp089583>