Update security notice
New information came to light after the original report, so this updates the notice to match the latest details.
This commit is contained in:
parent
ddbfab4fc5
commit
3228a3abd1
1 changed files with 5 additions and 5 deletions
10
CHANGELOG.md
10
CHANGELOG.md
|
@ -90,12 +90,12 @@ Changes in [1.7.22](https://github.com/vector-im/element-web/releases/tag/v1.7.2
|
||||||
|
|
||||||
## Security notice
|
## Security notice
|
||||||
|
|
||||||
Element Web 1.7.22 fixes (by upgrading to matrix-react-sdk 3.15.0) a low
|
Element Web 1.7.22 fixes (by upgrading to matrix-react-sdk 3.15.0) a moderate
|
||||||
severity issue (CVE-2021-21320) where the user content sandbox can be abused to
|
severity issue (CVE-2021-21320) where the user content sandbox can be abused to
|
||||||
trick users into opening unexpected documents. The content is opened with a
|
trick users into opening unexpected documents after several user interactions.
|
||||||
`blob` origin that cannot access Matrix user data, so messages and secrets are
|
The content can be opened with a `blob` origin from the Matrix client, so it is
|
||||||
not at risk. Thanks to @keerok for responsibly disclosing this via Matrix's
|
possible for a malicious document to access user messages and secrets. Thanks to
|
||||||
Security Disclosure Policy.
|
@keerok for responsibly disclosing this via Matrix's Security Disclosure Policy.
|
||||||
|
|
||||||
## All changes
|
## All changes
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue