Hello,
Today we have released a security update of Element Android to address a pair of vulnerabilities. Please upgrade to the new version (1.6.12) at your earliest convenience.
The two vulnerabilities are as follows:
- Sensitive file disclosure via share activity (Medium, CVE-2024-26132, GHSA-8wj9-cx7h-pvm4)
- Intent redirection (High, CVE-2024-26131, GHSA-j6pr-fpc8-q9vm)
Both vulnerabilities require a malicious third-party application to be installed on the phone, alongside a vulnerable Element Android, in order to be exploited.
The new version is available on the Play Store, but we have also worked with the F-Droid package repository and SchildiChat Android (a fork of Element Android) to help ensure they have timely releases as well.
Finally, we thank Pietro suidpit Tirenna, Davide TheZero Silvetti and Abdel Adim smaury Oisfi of Shielder for finding and responsibly disclosing these issues to us, helping make Element and Matrix safer for everyone.
