NodeJS/matrix-react-sdk/3.72.0
SDK for matrix.org using React
https://www.npmjs.com/package/matrix-react-sdk
Apache-2.0
1 Security Vulnerabilities
matrix-react-sdk vulnerable to XSS in Export Chat feature
- https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-c9vx-2g7w-rp65
- https://github.com/matrix-org/matrix-react-sdk/commit/22fcd34c606f32129ebc967fc21f24fb708a98b8
- https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.76.0
- https://github.com/advisories/GHSA-c9vx-2g7w-rp65
- https://nvd.nist.gov/vuln/detail/CVE-2023-37259
Description
The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored XSS.
Impact
Since the Export Chat feature generates a separate document, an attacker can only inject code run from the null
origin, restricting the impact.
However, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side.
Patches
This was patched in matrix-react-sdk 3.76.0.
Workarounds
None, other than not using the Export Chat feature.
References
N/A
514 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
0.6.3 | Apache-2.0 | 6 | 2016-06-03 - 11:18 | almost 8 years |
0.6.2 | Apache-2.0 | 6 | 2016-06-02 - 17:55 | almost 8 years |
0.6.1 | Apache-2.0 | 6 | 2016-06-02 - 17:33 | almost 8 years |
0.6.0 | Apache-2.0 | 6 | 2016-06-02 - 12:38 | almost 8 years |
0.5.2 | Apache-2.0 | 6 | 2016-04-22 - 10:21 | about 8 years |
0.5.1 | Apache-2.0 | 6 | 2016-04-19 - 12:35 | about 8 years |
0.5.0 | Apache-2.0 | 6 | 2016-04-19 - 12:20 | about 8 years |
0.4.0 | Apache-2.0 | 6 | 2016-03-30 - 12:25 | about 8 years |
0.3.1 | Apache-2.0 | 6 | 2016-03-23 - 14:56 | about 8 years |
0.3.0 | Apache-2.0 | 6 | 2016-03-23 - 14:01 | about 8 years |
0.2.0 | Apache-2.0 | 6 | 2016-03-11 - 14:51 | about 8 years |
0.1.0 | Apache-2.0 | 6 | 2016-02-24 - 14:17 | about 8 years |
0.0.2 | Apache-2.0 | 6 | 2015-10-28 - 18:16 | over 8 years |
0.0.1 | Apache-2.0 | 6 | 2015-10-02 - 17:54 | over 8 years |