Update security notice

New information came to light after the original report, so this updates the notice to match the latest details.
2021-04-14 12:43:49 +01:00 · 2021-04-14 12:43:49 +01:00 · 3228a3abd1
parent ddbfab4fc5
commit 3228a3abd1
1 changed files with 5 additions and 5 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -90,12 +90,12 @@ Changes in [1.7.22](https://github.com/vector-im/element-web/releases/tag/v1.7.2

 ## Security notice

-Element Web 1.7.22 fixes (by upgrading to matrix-react-sdk 3.15.0) a low
+Element Web 1.7.22 fixes (by upgrading to matrix-react-sdk 3.15.0) a moderate
 severity issue (CVE-2021-21320) where the user content sandbox can be abused to
-trick users into opening unexpected documents. The content is opened with a
-`blob` origin that cannot access Matrix user data, so messages and secrets are
-not at risk.  Thanks to @keerok for responsibly disclosing this via Matrix's
-Security Disclosure Policy.
+trick users into opening unexpected documents after several user interactions.
+The content can be opened with a `blob` origin from the Matrix client, so it is
+possible for a malicious document to access user messages and secrets. Thanks to
+@keerok for responsibly disclosing this via Matrix's Security Disclosure Policy.

 ## All changes