Impact
Element Android versions 1.4.3 (released on 2022-09-10) through 1.6.10 are vulnerable to intent redirection, allowing a third-party malicious application installed on the phone to start any internal activity by passing some extra parameters.
This could be exploited to make Element Android display an arbitrary web page or bypass the PIN code protection.
Patches
Fixed in Element Android 1.6.12 (commit 5373425).
Workarounds
There is no known workaround to mitigate the issue.
References
For more information:
If you have any questions or comments about this advisory, please email us at security at element.io.
Impact
Element Android versions 1.4.3 (released on 2022-09-10) through 1.6.10 are vulnerable to intent redirection, allowing a third-party malicious application installed on the phone to start any internal activity by passing some extra parameters.
This could be exploited to make Element Android display an arbitrary web page or bypass the PIN code protection.
Patches
Fixed in Element Android 1.6.12 (commit 5373425).
Workarounds
There is no known workaround to mitigate the issue.
References
For more information:
If you have any questions or comments about this advisory, please email us at security at element.io.