NodeJS/matrix-react-sdk/3.73.0-rc.2

SDK for matrix.org using React

https://www.npmjs.com/package/matrix-react-sdk
Apache-2.0

1 Security Vulnerabilities

matrix-react-sdk vulnerable to XSS in Export Chat feature

Published date: 2023-07-18T16:58:01Z
CVE: CVE-2023-37259
Links:

Description

The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored XSS.

Impact

Since the Export Chat feature generates a separate document, an attacker can only inject code run from the null origin, restricting the impact.

However, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side.

Patches

This was patched in matrix-react-sdk 3.76.0.

Workarounds

None, other than not using the Export Chat feature.

References

N/A

Affected versions: ["3.32.0", "3.32.1", "3.33.0-rc.1", "3.33.0-rc.2", "3.33.0", "3.34.0-rc.1", "3.34.0", "3.35.0-rc.1", "3.35.1", "3.36.0-rc.1", "3.36.0", "3.36.1", "3.37.0-rc.1", "3.37.0", "3.38.0-rc.1", "3.38.0", "3.39.0-rc.1", "3.39.0-rc.2", "3.39.0", "3.39.1", "3.40.0-rc.1", "3.40.0-rc.2", "3.40.0", "3.40.1", "3.41.0-rc.1", "3.41.0", "3.41.1", "3.42.0-rc.1", "3.42.0", "3.42.1-rc.1", "3.42.1", "3.42.2-rc.1", "3.42.2-rc.2", "3.42.2-rc.3", "3.42.2-rc.4", "3.42.3", "3.42.4", "3.43.0-rc.1", "3.43.0", "3.44.0-rc.1", "3.44.0-rc.2", "3.44.0", "3.45.0-rc.2", "3.45.0-rc.3", "3.45.0", "3.46.0-rc.1", "3.46.0", "3.47.0", "3.48.0-rc.1", "3.48.0", "3.49.0-rc.1", "3.49.0-rc.2", "3.49.0", "3.50.0", "3.51.0-rc.1", "3.51.0", "3.52.0-rc.1", "3.52.0-rc.2", "3.52.0", "3.53.0-rc.1", "3.53.0-rc.2", "3.53.0", "3.54.0-rc.1", "3.54.0", "3.55.0-rc.1", "3.55.0", "3.56.0", "3.57.0", "3.58.0-rc.1", "3.58.0-rc.2", "3.58.0", "3.58.1", "3.59.0-rc.1", "3.59.0-rc.2", "3.59.0", "3.59.1", "3.60.0-rc.1", "3.60.0-rc.2", "3.60.0", "3.61.0-rc.1", "3.61.0", "3.62.0-rc.1", "3.62.0-rc.2", "3.62.0", "3.63.0-rc.2", "3.63.0", "3.64.0-rc.1", "3.64.0-rc.2", "3.64.0-rc.3", "3.64.0-rc.4", "3.64.0", "3.64.1", "3.64.2", "3.65.0-rc.1", "3.65.0", "3.66.0-rc.1", "3.66.0", "3.67.0-rc.1", "3.67.0-rc.2", "3.67.0", "3.68.0-rc.1", "3.68.0-rc.2", "3.68.0-rc.3", "3.68.0", "3.69.0", "3.69.1", "3.70.0-rc.1", "3.70.0", "3.71.0-rc.1", "3.71.0", "3.71.1", "3.72.0-rc.1", "3.72.0-rc.2", "3.72.0", "3.73.0-rc.1", "3.73.0-rc.2", "3.73.0-rc.3", "3.73.0", "3.73.1", "3.74.0-rc1", "3.74.0", "3.75.0-rc.1", "3.75.0", "3.76.0-rc.1", "3.76.0-rc.2"]
Secure versions: [3.76.0, 3.77.0-rc.1, 3.77.0, 3.77.1, 3.78.0-rc.1, 3.78.0, 3.79.0-rc.2, 3.79.0, 3.80.0-rc.1, 3.80.0-rc.2, 3.80.0, 3.80.1, 3.81.0-rc.1, 3.81.0, 3.81.1, 3.82.0-rc.1, 3.82.0, 3.83.0-rc.1, 3.83.0, 3.84.0-rc.1, 3.84.0, 3.84.1, 3.85.0-rc.0, 3.85.0-rc.1, 3.85.0, 3.86.0-rc.2, 3.86.0, 3.87.0-rc.0, 3.87.0, 3.88.0, 3.89.0-rc.0, 3.89.0, 3.90.0, 3.91.0-rc.0, 3.91.0-rc.1, 3.91.0, 3.92.0-rc.0, 3.92.0-rc.1, 3.92.0, 3.93.0-rc.0, 3.93.0, 3.94.0-rc.0, 3.94.0, 3.95.0-rc.0, 3.95.0, 3.96.0-rc.0, 3.96.0, 3.96.1, 3.97.0-rc.0, 3.97.0, 3.98.0-rc.0, 3.98.0, 3.99.0-rc.0, 3.99.0-rc.1, 3.99.0, 3.100.0-rc.0]
Recommendation: Update to version 3.99.0.

514 Other Versions

Version License Security Released
0.12.6 Apache-2.0 6 2018-05-25 - 14:16 almost 6 years
0.12.6-rc.1 Apache-2.0 6 2018-05-24 - 17:23 almost 6 years
0.12.5 Apache-2.0 6 2018-05-17 - 16:05 almost 6 years
0.12.4 Apache-2.0 6 2018-05-16 - 10:49 about 6 years
0.12.4-rc.6 Apache-2.0 6 2018-05-15 - 17:04 about 6 years
0.12.4-rc.5 Apache-2.0 6 2018-05-15 - 14:54 about 6 years
0.12.4-rc.4 Apache-2.0 6 2018-05-14 - 17:23 about 6 years
0.12.4-rc.3 Apache-2.0 6 2018-05-11 - 17:27 about 6 years
0.12.4-rc.2 Apache-2.0 6 2018-05-09 - 16:35 about 6 years
0.12.4-rc.1 Apache-2.0 6 2018-05-09 - 12:45 about 6 years
0.12.3 Apache-2.0 6 2018-04-30 - 12:38 about 6 years
0.12.3-rc.3 Apache-2.0 6 2018-04-26 - 10:20 about 6 years
0.12.3-rc.2 Apache-2.0 6 2018-04-25 - 15:33 about 6 years
0.12.3-rc.1 Apache-2.0 6 2018-04-25 - 14:33 about 6 years
0.12.2 Apache-2.0 6 2018-04-12 - 11:51 about 6 years
0.12.1 Apache-2.0 6 2018-04-11 - 10:55 about 6 years
0.12.0 Apache-2.0 6 2018-04-11 - 10:31 about 6 years
0.12.0-rc.7 Apache-2.0 6 2018-04-10 - 13:28 about 6 years
0.12.0-rc.6 Apache-2.0 6 2018-04-09 - 16:10 about 6 years
0.12.0-rc.5 Apache-2.0 6 2018-04-09 - 14:41 about 6 years
0.12.0-rc.4 Apache-2.0 6 2018-03-22 - 13:18 about 6 years
0.12.0-rc.3 Apache-2.0 6 2018-03-20 - 17:38 about 6 years
0.12.0-rc.2 Apache-2.0 6 2018-03-19 - 14:59 about 6 years
0.12.0-rc.1 Apache-2.0 6 2018-03-19 - 12:16 about 6 years
0.11.4 Apache-2.0 6 2018-02-09 - 12:34 over 6 years
0.11.4-cryptowarning.2 Apache-2.0 6 2018-03-26 - 14:40 about 6 years
0.11.4-cryptowarning.1 Apache-2.0 6 2018-03-26 - 13:21 about 6 years
0.11.3 Apache-2.0 6 2017-12-04 - 12:24 over 6 years
0.11.2 Apache-2.0 6 2017-11-28 - 10:25 over 6 years
0.11.1 Apache-2.0 6 2017-11-17 - 16:04 over 6 years
0.11.0 Apache-2.0 6 2017-11-15 - 11:01 over 6 years
0.11.0-rc.3 Apache-2.0 6 2017-11-14 - 14:17 over 6 years
0.11.0-rc.2 Apache-2.0 6 2017-11-10 - 16:45 over 6 years
0.11.0-rc.1 Apache-2.0 6 2017-11-10 - 13:40 over 6 years
0.10.7 Apache-2.0 6 2017-10-16 - 13:45 over 6 years
0.10.7-rc.3 Apache-2.0 6 2017-10-13 - 15:32 over 6 years
0.10.7-rc.2 Apache-2.0 6 2017-10-13 - 14:03 over 6 years
0.10.7-rc.1 Apache-2.0 6 2017-10-13 - 10:11 over 6 years
0.10.6 Apache-2.0 6 2017-09-21 - 20:47 over 6 years
0.10.5 Apache-2.0 6 2017-09-21 - 17:02 over 6 years
0.10.4 Apache-2.0 6 2017-09-20 - 14:13 over 6 years
0.10.4-rc.1 Apache-2.0 6 2017-09-19 - 09:51 over 6 years
0.10.3 Apache-2.0 6 2017-09-06 - 12:26 over 6 years
0.10.3-rc.2 Apache-2.0 6 2017-09-05 - 12:13 over 6 years
0.10.3-rc.1 Apache-2.0 6 2017-09-01 - 15:17 over 6 years
0.10.2 Apache-2.0 6 2017-08-24 - 13:50 over 6 years
0.10.1 Apache-2.0 6 2017-08-23 - 14:56 over 6 years
0.10.1-rc.1 Apache-2.0 6 2017-08-22 - 17:53 over 6 years
0.10.0-rc.2 Apache-2.0 6 2017-08-22 - 13:11 over 6 years
0.10.0-rc.1 Apache-2.0 6 2017-08-16 - 08:58 over 6 years
0.9.7 Apache-2.0 6 2017-06-22 - 10:57 almost 7 years
0.9.6 Apache-2.0 6 2017-06-20 - 12:08 almost 7 years
0.9.5 Apache-2.0 6 2017-06-19 - 12:10 almost 7 years
0.9.5-rc.2 Apache-2.0 6 2017-06-16 - 12:29 almost 7 years
0.9.5-rc.1 Apache-2.0 6 2017-06-15 - 16:17 almost 7 years
0.9.4 Apache-2.0 6 2017-06-14 - 10:17 almost 7 years
0.9.3 Apache-2.0 6 2017-06-12 - 14:51 almost 7 years
0.9.3-rc.2 Apache-2.0 6 2017-06-09 - 21:14 almost 7 years
0.9.3-rc.1 Apache-2.0 6 2017-06-09 - 19:28 almost 7 years
0.9.2 Apache-2.0 6 2017-06-06 - 16:40 almost 7 years
0.9.1 Apache-2.0 6 2017-06-02 - 21:39 almost 7 years
0.9.0 Apache-2.0 6 2017-06-02 - 13:23 almost 7 years
0.9.0-rc.2 Apache-2.0 6 2017-06-02 - 00:14 almost 7 years
0.9.0-rc.1 Apache-2.0 6 2017-06-01 - 01:16 almost 7 years
0.8.9 Apache-2.0 6 2017-05-22 - 10:37 almost 7 years
0.8.9-rc.1 Apache-2.0 6 2017-05-19 - 09:39 almost 7 years
0.8.8 Apache-2.0 6 2017-04-25 - 09:54 about 7 years
0.8.8-rc.2 Apache-2.0 6 2017-04-24 - 17:24 about 7 years
0.8.8-rc.1 Apache-2.0 6 2017-04-21 - 17:23 about 7 years
0.8.7 Apache-2.0 6 2017-04-12 - 09:02 about 7 years
0.8.7-rc.4 Apache-2.0 6 2017-04-11 - 17:48 about 7 years
0.8.7-rc.3 Apache-2.0 6 2017-04-10 - 15:54 about 7 years
0.8.7-rc.2 Apache-2.0 6 2017-04-10 - 15:46 about 7 years
0.8.7-rc.1 Apache-2.0 6 2017-04-07 - 16:11 about 7 years
0.8.6 Apache-2.0 6 2017-02-04 - 10:30 over 7 years
0.8.6-rc.3 Apache-2.0 6 2017-02-03 - 15:33 over 7 years
0.8.6-rc.2 Apache-2.0 6 2017-02-03 - 13:07 over 7 years
0.8.6-rc.1 Apache-2.0 6 2017-02-03 - 12:14 over 7 years
0.8.5 Apache-2.0 6 2017-01-16 - 13:22 over 7 years
0.8.5-rc.1 Apache-2.0 6 2017-01-13 - 11:14 over 7 years
0.8.4 Apache-2.0 6 2016-12-24 - 19:03 over 7 years
0.8.3 Apache-2.0 6 2016-12-22 - 14:10 over 7 years
0.8.3-electron Apache-2.0 6 2016-12-24 - 18:53 over 7 years
0.8.2 Apache-2.0 6 2016-12-16 - 17:26 over 7 years
0.8.1 Apache-2.0 6 2016-12-09 - 19:53 over 7 years
0.8.1-rc.2 Apache-2.0 6 2016-12-06 - 16:04 over 7 years
0.8.1-rc.1 Apache-2.0 6 2016-12-05 - 17:51 over 7 years
0.8.0 Apache-2.0 6 2016-11-19 - 00:02 over 7 years
0.7.5 Apache-2.0 6 2016-11-04 - 10:09 over 7 years
0.7.5-rc.1 Apache-2.0 6 2016-11-02 - 11:08 over 7 years
0.7.4 Apache-2.0 6 2016-10-12 - 10:47 over 7 years
0.7.3 Apache-2.0 6 2016-10-05 - 15:51 over 7 years
0.7.2 Apache-2.0 6 2016-09-21 - 16:28 over 7 years
0.7.1 Apache-2.0 6 2016-09-21 - 10:59 over 7 years
0.6.5 Apache-2.0 6 2016-08-28 - 15:55 over 7 years
0.6.5-r3 Apache-2.0 6 2016-09-02 - 16:17 over 7 years
0.6.5-r2 Apache-2.0 6 2016-09-02 - 16:14 over 7 years
0.6.5-r1 Apache-2.0 6 2016-09-01 - 21:18 over 7 years
0.6.4 Apache-2.0 6 2016-08-11 - 16:37 almost 8 years
0.6.4-r1 Apache-2.0 6 2016-08-12 - 09:08 almost 8 years