Impact
A crafted hyperlink on a webpage, or a locally installed malicious app, can force Element X up to version 25.04.1 to load a webpage with similar permissions to Element Call and automatically grant it temporary access to microphone and camera.
Even if the CVSS score is 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) we consider this issue as a High severity.
Patches
Fixed in version 25.04.2
For more information
If you have any questions or comments about this advisory, please email us at security at element.io.
Impact
A crafted hyperlink on a webpage, or a locally installed malicious app, can force Element X up to version 25.04.1 to load a webpage with similar permissions to Element Call and automatically grant it temporary access to microphone and camera.
Even if the CVSS score is 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) we consider this issue as a High severity.
Patches
Fixed in version 25.04.2
For more information
If you have any questions or comments about this advisory, please email us at security at element.io.