From bc802280cb4534a7114c6eec9b5998e46fce5cad Mon Sep 17 00:00:00 2001
From: "J. Ryan Stinnett" <jryans@gmail.com>
Date: Wed, 14 Apr 2021 12:38:11 +0100
Subject: [PATCH] Update security notice

New information came to light after the original report, so this updates the
notice to match the latest details.
---
 CHANGELOG.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 17da59b8c5..ec73756ff9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -312,11 +312,12 @@ Changes in [3.15.0](https://github.com/matrix-org/matrix-react-sdk/releases/tag/
 
 ## Security notice
 
-matrix-react-sdk 3.15.0 fixes a low severity issue (CVE-2021-21320) where the
-user content sandbox can be abused to trick users into opening unexpected
-documents. The content is opened with a `blob` origin that cannot access Matrix
-user data, so messages and secrets are not at risk. Thanks to @keerok for
-responsibly disclosing this via Matrix's Security Disclosure Policy.
+matrix-react-sdk 3.15.0 fixes a moderate severity issue (CVE-2021-21320) where
+the user content sandbox can be abused to trick users into opening unexpected
+documents after several user interactions. The content can be opened with a
+`blob` origin from the Matrix client, so it is possible for a malicious document
+to access user messages and secrets. Thanks to @keerok for responsibly
+disclosing this via Matrix's Security Disclosure Policy.
 
 ## All changes