mirror of
https://github.com/element-hq/element-web
synced 2024-11-22 09:15:41 +03:00
Update security notice
New information came to light after the original report, so this updates the notice to match the latest details.
This commit is contained in:
J. Ryan Stinnett
parent
87b87bfad4
commit
bc802280cb
1 changed files with 6 additions and 5 deletions
11
CHANGELOG.md
11
CHANGELOG.md
|
|
@ -312,11 +312,12 @@ Changes in [3.15.0](https://github.com/matrix-org/matrix-react-sdk/releases/tag/
|
||||||
|
|
||||||
## Security notice
|
## Security notice
|
||||||
|
|
||||||
matrix-react-sdk 3.15.0 fixes a low severity issue (CVE-2021-21320) where the
|
matrix-react-sdk 3.15.0 fixes a moderate severity issue (CVE-2021-21320) where
|
||||||
user content sandbox can be abused to trick users into opening unexpected
|
the user content sandbox can be abused to trick users into opening unexpected
|
||||||
documents. The content is opened with a `blob` origin that cannot access Matrix
|
documents after several user interactions. The content can be opened with a
|
||||||
user data, so messages and secrets are not at risk. Thanks to @keerok for
|
`blob` origin from the Matrix client, so it is possible for a malicious document
|
||||||
responsibly disclosing this via Matrix's Security Disclosure Policy.
|
to access user messages and secrets. Thanks to @keerok for responsibly
|
||||||
|
disclosing this via Matrix's Security Disclosure Policy.
|
||||||
|
|
||||||
## All changes
|
## All changes
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue