Update security notice

New information came to light after the original report, so this updates the
notice to match the latest details.
pull/16962/head
J. Ryan Stinnett 1 year ago
parent ddbfab4fc5
commit 3228a3abd1
  1. 10
      CHANGELOG.md

@ -90,12 +90,12 @@ Changes in [1.7.22](https://github.com/vector-im/element-web/releases/tag/v1.7.2
## Security notice
Element Web 1.7.22 fixes (by upgrading to matrix-react-sdk 3.15.0) a low
Element Web 1.7.22 fixes (by upgrading to matrix-react-sdk 3.15.0) a moderate
severity issue (CVE-2021-21320) where the user content sandbox can be abused to
trick users into opening unexpected documents. The content is opened with a
`blob` origin that cannot access Matrix user data, so messages and secrets are
not at risk. Thanks to @keerok for responsibly disclosing this via Matrix's
Security Disclosure Policy.
trick users into opening unexpected documents after several user interactions.
The content can be opened with a `blob` origin from the Matrix client, so it is
possible for a malicious document to access user messages and secrets. Thanks to
@keerok for responsibly disclosing this via Matrix's Security Disclosure Policy.
## All changes

Loading…
Cancel
Save