NodeJS/matrix-react-sdk/3.73.0-rc.2

SDK for matrix.org using React

https://www.npmjs.com/package/matrix-react-sdk
Apache-2.0

1 Security Vulnerabilities

matrix-react-sdk vulnerable to XSS in Export Chat feature

Published date: 2023-07-18T16:58:01Z
CVE: CVE-2023-37259
Links:

Description

The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored XSS.

Impact

Since the Export Chat feature generates a separate document, an attacker can only inject code run from the null origin, restricting the impact.

However, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side.

Patches

This was patched in matrix-react-sdk 3.76.0.

Workarounds

None, other than not using the Export Chat feature.

References

N/A

Affected versions: ["3.32.0", "3.32.1", "3.33.0-rc.1", "3.33.0-rc.2", "3.33.0", "3.34.0-rc.1", "3.34.0", "3.35.0-rc.1", "3.35.1", "3.36.0-rc.1", "3.36.0", "3.36.1", "3.37.0-rc.1", "3.37.0", "3.38.0-rc.1", "3.38.0", "3.39.0-rc.1", "3.39.0-rc.2", "3.39.0", "3.39.1", "3.40.0-rc.1", "3.40.0-rc.2", "3.40.0", "3.40.1", "3.41.0-rc.1", "3.41.0", "3.41.1", "3.42.0-rc.1", "3.42.0", "3.42.1-rc.1", "3.42.1", "3.42.2-rc.1", "3.42.2-rc.2", "3.42.2-rc.3", "3.42.2-rc.4", "3.42.3", "3.42.4", "3.43.0-rc.1", "3.43.0", "3.44.0-rc.1", "3.44.0-rc.2", "3.44.0", "3.45.0-rc.2", "3.45.0-rc.3", "3.45.0", "3.46.0-rc.1", "3.46.0", "3.47.0", "3.48.0-rc.1", "3.48.0", "3.49.0-rc.1", "3.49.0-rc.2", "3.49.0", "3.50.0", "3.51.0-rc.1", "3.51.0", "3.52.0-rc.1", "3.52.0-rc.2", "3.52.0", "3.53.0-rc.1", "3.53.0-rc.2", "3.53.0", "3.54.0-rc.1", "3.54.0", "3.55.0-rc.1", "3.55.0", "3.56.0", "3.57.0", "3.58.0-rc.1", "3.58.0-rc.2", "3.58.0", "3.58.1", "3.59.0-rc.1", "3.59.0-rc.2", "3.59.0", "3.59.1", "3.60.0-rc.1", "3.60.0-rc.2", "3.60.0", "3.61.0-rc.1", "3.61.0", "3.62.0-rc.1", "3.62.0-rc.2", "3.62.0", "3.63.0-rc.2", "3.63.0", "3.64.0-rc.1", "3.64.0-rc.2", "3.64.0-rc.3", "3.64.0-rc.4", "3.64.0", "3.64.1", "3.64.2", "3.65.0-rc.1", "3.65.0", "3.66.0-rc.1", "3.66.0", "3.67.0-rc.1", "3.67.0-rc.2", "3.67.0", "3.68.0-rc.1", "3.68.0-rc.2", "3.68.0-rc.3", "3.68.0", "3.69.0", "3.69.1", "3.70.0-rc.1", "3.70.0", "3.71.0-rc.1", "3.71.0", "3.71.1", "3.72.0-rc.1", "3.72.0-rc.2", "3.72.0", "3.73.0-rc.1", "3.73.0-rc.2", "3.73.0-rc.3", "3.73.0", "3.73.1", "3.74.0-rc1", "3.74.0", "3.75.0-rc.1", "3.75.0", "3.76.0-rc.1", "3.76.0-rc.2"]
Secure versions: [3.76.0, 3.77.0-rc.1, 3.77.0, 3.77.1, 3.78.0-rc.1, 3.78.0, 3.79.0-rc.2, 3.79.0, 3.80.0-rc.1, 3.80.0-rc.2, 3.80.0, 3.80.1, 3.81.0-rc.1, 3.81.0, 3.81.1, 3.82.0-rc.1, 3.82.0, 3.83.0-rc.1, 3.83.0, 3.84.0-rc.1, 3.84.0, 3.84.1, 3.85.0-rc.0, 3.85.0-rc.1, 3.85.0, 3.86.0-rc.2, 3.86.0, 3.87.0-rc.0, 3.87.0, 3.88.0, 3.89.0-rc.0, 3.89.0, 3.90.0, 3.91.0-rc.0, 3.91.0-rc.1, 3.91.0, 3.92.0-rc.0, 3.92.0-rc.1, 3.92.0, 3.93.0-rc.0, 3.93.0, 3.94.0-rc.0, 3.94.0, 3.95.0-rc.0, 3.95.0, 3.96.0-rc.0, 3.96.0, 3.96.1, 3.97.0-rc.0, 3.97.0, 3.98.0-rc.0, 3.98.0, 3.99.0-rc.0, 3.99.0-rc.1, 3.99.0, 3.100.0-rc.0]
Recommendation: Update to version 3.99.0.

514 Other Versions

Version License Security Released
0.6.3 Apache-2.0 6 2016-06-03 - 11:18 almost 8 years
0.6.2 Apache-2.0 6 2016-06-02 - 17:55 almost 8 years
0.6.1 Apache-2.0 6 2016-06-02 - 17:33 almost 8 years
0.6.0 Apache-2.0 6 2016-06-02 - 12:38 almost 8 years
0.5.2 Apache-2.0 6 2016-04-22 - 10:21 about 8 years
0.5.1 Apache-2.0 6 2016-04-19 - 12:35 about 8 years
0.5.0 Apache-2.0 6 2016-04-19 - 12:20 about 8 years
0.4.0 Apache-2.0 6 2016-03-30 - 12:25 about 8 years
0.3.1 Apache-2.0 6 2016-03-23 - 14:56 about 8 years
0.3.0 Apache-2.0 6 2016-03-23 - 14:01 about 8 years
0.2.0 Apache-2.0 6 2016-03-11 - 14:51 about 8 years
0.1.0 Apache-2.0 6 2016-02-24 - 14:17 about 8 years
0.0.2 Apache-2.0 6 2015-10-28 - 18:16 over 8 years
0.0.1 Apache-2.0 6 2015-10-02 - 17:54 over 8 years