NodeJS/matrix-react-sdk/3.72.0-rc.1
SDK for matrix.org using React
https://www.npmjs.com/package/matrix-react-sdk
Apache-2.0
1 Security Vulnerabilities
matrix-react-sdk vulnerable to XSS in Export Chat feature
Published date: 2023-07-18T16:58:01Z
CVE: CVE-2023-37259
Links:
- https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-c9vx-2g7w-rp65
- https://github.com/matrix-org/matrix-react-sdk/commit/22fcd34c606f32129ebc967fc21f24fb708a98b8
- https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.76.0
- https://github.com/advisories/GHSA-c9vx-2g7w-rp65
- https://nvd.nist.gov/vuln/detail/CVE-2023-37259
Description
The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored XSS.
Impact
Since the Export Chat feature generates a separate document, an attacker can only inject code run from the null origin, restricting the impact.
However, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side.
Patches
This was patched in matrix-react-sdk 3.76.0.
Workarounds
None, other than not using the Export Chat feature.
References
N/A
Affected versions:
["3.32.0", "3.32.1", "3.33.0-rc.1", "3.33.0-rc.2", "3.33.0", "3.34.0-rc.1", "3.34.0", "3.35.0-rc.1", "3.35.1", "3.36.0-rc.1", "3.36.0", "3.36.1", "3.37.0-rc.1", "3.37.0", "3.38.0-rc.1", "3.38.0", "3.39.0-rc.1", "3.39.0-rc.2", "3.39.0", "3.39.1", "3.40.0-rc.1", "3.40.0-rc.2", "3.40.0", "3.40.1", "3.41.0-rc.1", "3.41.0", "3.41.1", "3.42.0-rc.1", "3.42.0", "3.42.1-rc.1", "3.42.1", "3.42.2-rc.1", "3.42.2-rc.2", "3.42.2-rc.3", "3.42.2-rc.4", "3.42.3", "3.42.4", "3.43.0-rc.1", "3.43.0", "3.44.0-rc.1", "3.44.0-rc.2", "3.44.0", "3.45.0-rc.2", "3.45.0-rc.3", "3.45.0", "3.46.0-rc.1", "3.46.0", "3.47.0", "3.48.0-rc.1", "3.48.0", "3.49.0-rc.1", "3.49.0-rc.2", "3.49.0", "3.50.0", "3.51.0-rc.1", "3.51.0", "3.52.0-rc.1", "3.52.0-rc.2", "3.52.0", "3.53.0-rc.1", "3.53.0-rc.2", "3.53.0", "3.54.0-rc.1", "3.54.0", "3.55.0-rc.1", "3.55.0", "3.56.0", "3.57.0", "3.58.0-rc.1", "3.58.0-rc.2", "3.58.0", "3.58.1", "3.59.0-rc.1", "3.59.0-rc.2", "3.59.0", "3.59.1", "3.60.0-rc.1", "3.60.0-rc.2", "3.60.0", "3.61.0-rc.1", "3.61.0", "3.62.0-rc.1", "3.62.0-rc.2", "3.62.0", "3.63.0-rc.2", "3.63.0", "3.64.0-rc.1", "3.64.0-rc.2", "3.64.0-rc.3", "3.64.0-rc.4", "3.64.0", "3.64.1", "3.64.2", "3.65.0-rc.1", "3.65.0", "3.66.0-rc.1", "3.66.0", "3.67.0-rc.1", "3.67.0-rc.2", "3.67.0", "3.68.0-rc.1", "3.68.0-rc.2", "3.68.0-rc.3", "3.68.0", "3.69.0", "3.69.1", "3.70.0-rc.1", "3.70.0", "3.71.0-rc.1", "3.71.0", "3.71.1", "3.72.0-rc.1", "3.72.0-rc.2", "3.72.0", "3.73.0-rc.1", "3.73.0-rc.2", "3.73.0-rc.3", "3.73.0", "3.73.1", "3.74.0-rc1", "3.74.0", "3.75.0-rc.1", "3.75.0", "3.76.0-rc.1", "3.76.0-rc.2"]
Secure versions:
[3.76.0, 3.77.0-rc.1, 3.77.0, 3.77.1, 3.78.0-rc.1, 3.78.0, 3.79.0-rc.2, 3.79.0, 3.80.0-rc.1, 3.80.0-rc.2, 3.80.0, 3.80.1, 3.81.0-rc.1, 3.81.0, 3.81.1, 3.82.0-rc.1, 3.82.0, 3.83.0-rc.1, 3.83.0, 3.84.0-rc.1, 3.84.0, 3.84.1, 3.85.0-rc.0, 3.85.0-rc.1, 3.85.0, 3.86.0-rc.2, 3.86.0, 3.87.0-rc.0, 3.87.0, 3.88.0, 3.89.0-rc.0, 3.89.0, 3.90.0, 3.91.0-rc.0, 3.91.0-rc.1, 3.91.0, 3.92.0-rc.0, 3.92.0-rc.1, 3.92.0, 3.93.0-rc.0, 3.93.0, 3.94.0-rc.0, 3.94.0, 3.95.0-rc.0, 3.95.0, 3.96.0-rc.0, 3.96.0, 3.96.1, 3.97.0-rc.0, 3.97.0, 3.98.0-rc.0, 3.98.0, 3.99.0-rc.0, 3.99.0-rc.1, 3.99.0, 3.100.0-rc.0]
Recommendation:
Update to version 3.99.0.
514 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 1.7.6-rc.2 | Apache-2.0 | 6 | 2020-01-08 - 11:21 | over 4 years |
| 1.7.6-rc.1 | Apache-2.0 | 6 | 2020-01-06 - 14:02 | over 4 years |
| 1.7.5 | Apache-2.0 | 6 | 2019-12-09 - 11:35 | over 4 years |
| 1.7.5-rc.1 | Apache-2.0 | 6 | 2019-12-04 - 12:04 | over 4 years |
| 1.7.4 | Apache-2.0 | 6 | 2019-11-27 - 10:39 | over 4 years |
| 1.7.3 | Apache-2.0 | 6 | 2019-11-25 - 13:32 | over 4 years |
| 1.7.3-rc.2 | Apache-2.0 | 6 | 2019-11-22 - 17:26 | over 4 years |
| 1.7.3-rc.1 | Apache-2.0 | 6 | 2019-11-20 - 18:30 | over 4 years |
| 1.7.2 | Apache-2.0 | 6 | 2019-11-06 - 14:17 | over 4 years |
| 1.7.1 | Apache-2.0 | 6 | 2019-11-04 - 15:13 | over 4 years |
| 1.7.1-rc.2 | Apache-2.0 | 6 | 2019-11-01 - 10:18 | over 4 years |
| 1.7.1-rc.1 | Apache-2.0 | 6 | 2019-10-30 - 16:48 | over 4 years |
| 1.7.0 | Apache-2.0 | 6 | 2019-10-18 - 13:49 | over 4 years |
| 1.7.0-rc.1 | Apache-2.0 | 6 | 2019-10-09 - 15:58 | over 4 years |
| 1.6.2 | Apache-2.0 | 6 | 2019-10-04 - 09:37 | over 4 years |
| 1.6.2-rc.1 | Apache-2.0 | 6 | 2019-10-02 - 09:26 | over 4 years |
| 1.6.1 | Apache-2.0 | 6 | 2019-10-01 - 10:40 | over 4 years |
| 1.6.0 | Apache-2.0 | 6 | 2019-09-27 - 10:52 | over 4 years |
| 1.6.0-rc.2 | Apache-2.0 | 6 | 2019-09-26 - 11:06 | over 4 years |
| 1.6.0-rc.1 | Apache-2.0 | 6 | 2019-09-25 - 16:28 | over 4 years |
| 1.5.3 | Apache-2.0 | 6 | 2019-09-16 - 16:45 | over 4 years |
| 1.5.3-rc.3 | Apache-2.0 | 6 | 2019-09-13 - 15:19 | over 4 years |
| 1.5.3-rc.2 | Apache-2.0 | 6 | 2019-09-13 - 13:23 | over 4 years |
| 1.5.3-rc.1 | Apache-2.0 | 6 | 2019-09-12 - 17:37 | over 4 years |
| 1.5.2 | Apache-2.0 | 6 | 2019-09-12 - 11:56 | over 4 years |
| 1.5.2-rc.1 | Apache-2.0 | 6 | 2019-09-11 - 17:44 | over 4 years |
| 1.5.1 | Apache-2.0 | 6 | 2019-08-05 - 13:34 | almost 5 years |
| 1.5.0 | Apache-2.0 | 6 | 2019-08-05 - 11:02 | almost 5 years |
| 1.5.0-rc.1 | Apache-2.0 | 6 | 2019-07-31 - 15:47 | almost 5 years |
| 1.4.0 | Apache-2.0 | 6 | 2019-07-18 - 14:51 | almost 5 years |
| 1.4.0-rc.3 | Apache-2.0 | 6 | 2019-07-15 - 16:29 | almost 5 years |
| 1.4.0-rc.2 | Apache-2.0 | 6 | 2019-07-12 - 16:33 | almost 5 years |
| 1.4.0-rc.1 | Apache-2.0 | 6 | 2019-07-12 - 10:29 | almost 5 years |
| 1.3.1 | Apache-2.0 | 6 | 2019-07-11 - 10:04 | almost 5 years |
| 1.3.0 | Apache-2.0 | 6 | 2019-07-08 - 09:53 | almost 5 years |
| 1.3.0-rc.1 | Apache-2.0 | 6 | 2019-07-03 - 15:56 | almost 5 years |
| 1.2.2 | Apache-2.0 | 6 | 2019-06-19 - 14:52 | almost 5 years |
| 1.2.2-rc.2 | Apache-2.0 | 6 | 2019-06-18 - 14:53 | almost 5 years |
| 1.2.2-rc.1 | Apache-2.0 | 6 | 2019-06-12 - 11:00 | almost 5 years |
| 1.2.1 | Apache-2.0 | 6 | 2019-05-31 - 10:26 | almost 5 years |
| 1.2.0 | Apache-2.0 | 6 | 2019-05-29 - 15:02 | almost 5 years |
| 1.2.0-rc.1 | Apache-2.0 | 6 | 2019-05-23 - 16:16 | almost 5 years |
| 1.1.2 | Apache-2.0 | 6 | 2019-05-15 - 13:31 | about 5 years |
| 1.1.1 | Apache-2.0 | 6 | 2019-05-14 - 12:49 | about 5 years |
| 1.1.0 | Apache-2.0 | 6 | 2019-05-07 - 14:36 | about 5 years |
| 1.1.0-rc.1 | Apache-2.0 | 6 | 2019-04-30 - 11:02 | about 5 years |
| 1.0.7 | Apache-2.0 | 6 | 2019-04-08 - 14:13 | about 5 years |
| 1.0.6 | Apache-2.0 | 6 | 2019-04-01 - 12:44 | about 5 years |
| 1.0.6-rc.1 | Apache-2.0 | 6 | 2019-03-27 - 17:40 | about 5 years |
| 1.0.5 | Apache-2.0 | 6 | 2019-03-21 - 10:28 | about 5 years |
| 1.0.4 | Apache-2.0 | 6 | 2019-03-18 - 13:57 | about 5 years |
| 1.0.4-rc.1 | Apache-2.0 | 6 | 2019-03-13 - 14:54 | about 5 years |
| 1.0.3 | Apache-2.0 | 6 | 2019-03-06 - 15:47 | about 5 years |
| 1.0.2 | Apache-2.0 | 6 | 2019-03-06 - 11:27 | about 5 years |
| 1.0.2-rc.4 | Apache-2.0 | 6 | 2019-03-05 - 19:18 | about 5 years |
| 1.0.2-rc.3 | Apache-2.0 | 6 | 2019-03-01 - 17:37 | about 5 years |
| 1.0.2-rc.2 | Apache-2.0 | 6 | 2019-03-01 - 12:18 | about 5 years |
| 1.0.2-rc.1 | Apache-2.0 | 6 | 2019-02-28 - 14:49 | about 5 years |
| 1.0.1 | Apache-2.0 | 6 | 2019-02-15 - 12:53 | over 5 years |
| 1.0.0 | Apache-2.0 | 6 | 2019-02-14 - 16:55 | over 5 years |
| 1.0.0-rc.2 | Apache-2.0 | 6 | 2019-02-14 - 11:16 | over 5 years |
| 1.0.0-rc.1 | Apache-2.0 | 6 | 2019-02-08 - 18:44 | over 5 years |
| 0.14.8 | Apache-2.0 | 6 | 2019-01-22 - 11:27 | over 5 years |
| 0.14.8-rc.1 | Apache-2.0 | 6 | 2019-01-17 - 10:55 | over 5 years |
| 0.14.7 | Apache-2.0 | 6 | 2018-12-10 - 13:44 | over 5 years |
| 0.14.7-rc.2 | Apache-2.0 | 6 | 2018-12-06 - 12:40 | over 5 years |
| 0.14.7-rc.1 | Apache-2.0 | 6 | 2018-12-06 - 11:19 | over 5 years |
| 0.14.6 | Apache-2.0 | 6 | 2018-11-22 - 16:55 | over 5 years |
| 0.14.5 | Apache-2.0 | 6 | 2018-11-19 - 15:19 | over 5 years |
| 0.14.5-rc.2 | Apache-2.0 | 6 | 2018-11-15 - 15:30 | over 5 years |
| 0.14.5-rc.1 | Apache-2.0 | 6 | 2018-11-15 - 12:19 | over 5 years |
| 0.14.4 | Apache-2.0 | 6 | 2018-11-13 - 18:50 | over 5 years |
| 0.14.3 | Apache-2.0 | 6 | 2018-11-13 - 17:58 | over 5 years |
| 0.14.2 | Apache-2.0 | 6 | 2018-10-29 - 14:07 | over 5 years |
| 0.14.2-rc.1 | Apache-2.0 | 6 | 2018-10-24 - 10:24 | over 5 years |
| 0.14.1 | Apache-2.0 | 6 | 2018-10-19 - 14:39 | over 5 years |
| 0.14.0 | Apache-2.0 | 6 | 2018-10-16 - 09:54 | over 5 years |
| 0.14.0-rc.1 | Apache-2.0 | 6 | 2018-10-11 - 14:40 | over 5 years |
| 0.13.6 | Apache-2.0 | 6 | 2018-10-08 - 15:08 | over 5 years |
| 0.13.5 | Apache-2.0 | 6 | 2018-10-01 - 14:09 | over 5 years |
| 0.13.5-rc.1 | Apache-2.0 | 6 | 2018-09-27 - 12:51 | over 5 years |
| 0.13.4 | Apache-2.0 | 6 | 2018-09-10 - 10:39 | over 5 years |
| 0.13.4-rc.1 | Apache-2.0 | 6 | 2018-09-07 - 13:36 | over 5 years |
| 0.13.3 | Apache-2.0 | 6 | 2018-09-03 - 13:26 | over 5 years |
| 0.13.3-rc.2 | Apache-2.0 | 6 | 2018-08-31 - 12:49 | over 5 years |
| 0.13.3-rc.1 | Apache-2.0 | 6 | 2018-08-30 - 13:29 | over 5 years |
| 0.13.2 | Apache-2.0 | 6 | 2018-08-23 - 14:26 | over 5 years |
| 0.13.1 | Apache-2.0 | 6 | 2018-08-20 - 12:56 | over 5 years |
| 0.13.1-rc.1 | Apache-2.0 | 6 | 2018-08-16 - 14:27 | almost 6 years |
| 0.13.0 | Apache-2.0 | 6 | 2018-07-30 - 10:58 | almost 6 years |
| 0.13.0-rc.2 | Apache-2.0 | 6 | 2018-07-24 - 18:35 | almost 6 years |
| 0.13.0-rc.1 | Apache-2.0 | 6 | 2018-07-24 - 17:32 | almost 6 years |
| 0.12.9 | Apache-2.0 | 6 | 2018-07-09 - 12:11 | almost 6 years |
| 0.12.9-rc.2 | Apache-2.0 | 6 | 2018-07-06 - 14:52 | almost 6 years |
| 0.12.9-rc.1 | Apache-2.0 | 6 | 2018-07-04 - 10:23 | almost 6 years |
| 0.12.8 | Apache-2.0 | 6 | 2018-06-29 - 10:40 | almost 6 years |
| 0.12.8-rc.2 | Apache-2.0 | 6 | 2018-06-22 - 17:09 | almost 6 years |
| 0.12.8-rc.1 | Apache-2.0 | 6 | 2018-06-21 - 09:07 | almost 6 years |
| 0.12.7 | Apache-2.0 | 6 | 2018-06-12 - 13:22 | almost 6 years |
| 0.12.7-rc.1 | Apache-2.0 | 6 | 2018-06-06 - 15:07 | almost 6 years |