Update security notice

New information came to light after the original report, so this updates the
notice to match the latest details.
pull/16962/head
J. Ryan Stinnett 2021-04-14 12:43:49 +01:00
parent ddbfab4fc5
commit 3228a3abd1
1 changed files with 5 additions and 5 deletions

View File

@ -90,12 +90,12 @@ Changes in [1.7.22](https://github.com/vector-im/element-web/releases/tag/v1.7.2
## Security notice
Element Web 1.7.22 fixes (by upgrading to matrix-react-sdk 3.15.0) a low
Element Web 1.7.22 fixes (by upgrading to matrix-react-sdk 3.15.0) a moderate
severity issue (CVE-2021-21320) where the user content sandbox can be abused to
trick users into opening unexpected documents. The content is opened with a
`blob` origin that cannot access Matrix user data, so messages and secrets are
not at risk. Thanks to @keerok for responsibly disclosing this via Matrix's
Security Disclosure Policy.
trick users into opening unexpected documents after several user interactions.
The content can be opened with a `blob` origin from the Matrix client, so it is
possible for a malicious document to access user messages and secrets. Thanks to
@keerok for responsibly disclosing this via Matrix's Security Disclosure Policy.
## All changes