{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2024-47771","title":"Title"},{"category":"description","text":"Element Desktop is a Matrix client for desktop platforms. Element Desktop versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified internally, involving malicious widgets, but other vectors may exist. Users are strongly advised to upgrade to version 1.11.81 to remediate the issue. As a workaround, avoid granting permissions to untrusted widgets.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2024-47771","url":"https://www.suse.com/security/cve/CVE-2024-47771"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1231666 for CVE-2024-47771","url":"https://bugzilla.suse.com/1231666"},{"category":"external","summary":"SUSE Bug 1231695 for CVE-2024-47771","url":"https://bugzilla.suse.com/1231695"},{"category":"external","summary":"Advisory link for openSUSE-SU-2024:14406-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KQNDUBJFHLJVEPUM4DHLDV6T3EUECFA7/"},{"category":"external","summary":"Advisory link for openSUSE-SU-2024:14407-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/K6P26C4CYVFGY4V3OGMMHKWBXKSMNSQ6/"}],"title":"SUSE CVE CVE-2024-47771","tracking":{"current_release_date":"2025-03-15T04:31:58Z","generator":{"date":"2024-10-16T02:50:52Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2024-47771","initial_release_date":"2024-10-16T02:50:52Z","revision_history":[{"date":"2024-10-16T02:50:52Z","number":"2","summary":"Current version"},{"date":"2024-10-17T02:48:30Z","number":"3","summary":"Current version"},{"date":"2024-10-18T02:49:53Z","number":"4","summary":"Current version"},{"date":"2024-10-20T02:48:03Z","number":"5","summary":"Current version"},{"date":"2025-01-01T00:36:03Z","number":"6","summary":"Current version"},{"date":"2025-02-06T03:58:40Z","number":"7","summary":"Current version"},{"date":"2025-02-14T04:22:18Z","number":"8","summary":"Current version"},{"date":"2025-02-16T04:14:31Z","number":"9","summary":"Current version"},{"date":"2025-03-15T04:31:58Z","number":"10","summary":"Current version"}],"status":"interim","version":"10"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"element-desktop-1.11.81-1.1","product":{"name":"element-desktop-1.11.81-1.1","product_id":"element-desktop-1.11.81-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/element-desktop@1.11.81-1.1"}}},{"category":"product_version","name":"element-web-1.11.81-1.1","product":{"name":"element-web-1.11.81-1.1","product_id":"element-web-1.11.81-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/element-web@1.11.81-1.1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"element-desktop-1.11.81-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:element-desktop-1.11.81-1.1"},"product_reference":"element-desktop-1.11.81-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"element-web-1.11.81-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:element-web-1.11.81-1.1"},"product_reference":"element-web-1.11.81-1.1","relates_to_product_reference":"openSUSE Tumbleweed"}]},"vulnerabilities":[{"cve":"CVE-2024-47771","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-47771"}],"notes":[{"category":"general","text":"Element Desktop is a Matrix client for desktop platforms. Element Desktop versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified internally, involving malicious widgets, but other vectors may exist. Users are strongly advised to upgrade to version 1.11.81 to remediate the issue. As a workaround, avoid granting permissions to untrusted widgets.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Tumbleweed:element-desktop-1.11.81-1.1","openSUSE Tumbleweed:element-web-1.11.81-1.1"]},"references":[{"category":"external","summary":"CVE-2024-47771","url":"https://www.suse.com/security/cve/CVE-2024-47771"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1231666 for CVE-2024-47771","url":"https://bugzilla.suse.com/1231666"},{"category":"external","summary":"SUSE Bug 1231695 for CVE-2024-47771","url":"https://bugzilla.suse.com/1231695"},{"category":"external","summary":"Advisory link for openSUSE-SU-2024:14406-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KQNDUBJFHLJVEPUM4DHLDV6T3EUECFA7/"},{"category":"external","summary":"Advisory link for openSUSE-SU-2024:14407-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/K6P26C4CYVFGY4V3OGMMHKWBXKSMNSQ6/"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Tumbleweed:element-desktop-1.11.81-1.1","openSUSE Tumbleweed:element-web-1.11.81-1.1"]}],"threats":[{"category":"impact","date":"2024-10-15T12:30:11Z","details":"moderate"}],"title":"CVE-2024-47771"}]}