{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-51749", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-10-31T14:12:45.790Z", "datePublished": "2024-11-12T16:34:21.603Z", "dateUpdated": "2024-11-12T17:14:30.943Z"}, "containers": {"cna": {"title": "Element's thumbnails can be abused to misrepresent the content of an attachment", "problemTypes": [{"descriptions": [{"cweId": "CWE-451", "lang": "en", "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2"}, {"name": "https://github.com/element-hq/element-web/commit/a00c343435d633e64de2c0548217aa611c7bbef5", "tags": ["x_refsource_MISC"], "url": "https://github.com/element-hq/element-web/commit/a00c343435d633e64de2c0548217aa611c7bbef5"}], "affected": [{"vendor": "element-hq", "product": "element-web", "versions": [{"version": "< 1.11.85", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-12T16:34:21.603Z"}, "descriptions": [{"lang": "en", "value": "Element is a Matrix web client built using the Matrix React SDK. Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once clicked. Fixed in element-web 1.11.85."}], "source": {"advisory": "GHSA-5486-384g-mcx2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-12T17:14:12.000969Z", "id": "CVE-2024-51749", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-12T17:14:30.943Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-51749", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-10-31T14:12:45.790Z", "datePublished": "2024-11-12T16:34:21.603Z", "dateUpdated": "2024-11-12T17:14:30.943Z"}, "containers": {"cna": {"title": "Element's thumbnails can be abused to misrepresent the content of an attachment", "problemTypes": [{"descriptions": [{"cweId": "CWE-451", "lang": "en", "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2"}, {"name": "https://github.com/element-hq/element-web/commit/a00c343435d633e64de2c0548217aa611c7bbef5", "tags": ["x_refsource_MISC"], "url": "https://github.com/element-hq/element-web/commit/a00c343435d633e64de2c0548217aa611c7bbef5"}], "affected": [{"vendor": "element-hq", "product": "element-web", "versions": [{"version": "< 1.11.85", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-12T16:34:21.603Z"}, "descriptions": [{"lang": "en", "value": "Element is a Matrix web client built using the Matrix React SDK. Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once clicked. Fixed in element-web 1.11.85."}], "source": {"advisory": "GHSA-5486-384g-mcx2", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-51749", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-12T17:14:12.000969Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-12T17:14:22.299Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Element is a Matrix web client built using the Matrix React SDK. Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once clicked. Fixed in element-web 1.11.85."}, {"lang": "es", "value": "Element es un cliente web de Matrix creado con el SDK de Matrix React. Las versiones de Element Web y Desktop anteriores a la 1.11.85 no comprueban si las miniaturas de los archivos adjuntos, las pegatinas y las im\u00e1genes son coherentes. Es posible a\u00f1adir miniaturas a eventos que activen la descarga de un archivo al hacer clic en ellos. Se ha corregido en element-web 1.11.85."}], "id": "CVE-2024-51749", "lastModified": "2024-11-13T17:01:58.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-11-12T17:15:09.910", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/element-hq/element-web/commit/a00c343435d633e64de2c0548217aa611c7bbef5"}, {"source": "security-advisories@github.com", "url": "https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-451"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{}