NodeJS/matrix-react-sdk/3.76.0-rc.1

SDK for matrix.org using React

https://www.npmjs.com/package/matrix-react-sdk
Apache-2.0

1 Security Vulnerabilities

matrix-react-sdk vulnerable to XSS in Export Chat feature

Published date: 2023-07-18T16:58:01Z
CVE: CVE-2023-37259
Links:

Description

The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored XSS.

Impact

Since the Export Chat feature generates a separate document, an attacker can only inject code run from the null origin, restricting the impact.

However, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side.

Patches

This was patched in matrix-react-sdk 3.76.0.

Workarounds

None, other than not using the Export Chat feature.

References

N/A

Affected versions: ["3.32.0", "3.32.1", "3.33.0-rc.1", "3.33.0-rc.2", "3.33.0", "3.34.0-rc.1", "3.34.0", "3.35.0-rc.1", "3.35.1", "3.36.0-rc.1", "3.36.0", "3.36.1", "3.37.0-rc.1", "3.37.0", "3.38.0-rc.1", "3.38.0", "3.39.0-rc.1", "3.39.0-rc.2", "3.39.0", "3.39.1", "3.40.0-rc.1", "3.40.0-rc.2", "3.40.0", "3.40.1", "3.41.0-rc.1", "3.41.0", "3.41.1", "3.42.0-rc.1", "3.42.0", "3.42.1-rc.1", "3.42.1", "3.42.2-rc.1", "3.42.2-rc.2", "3.42.2-rc.3", "3.42.2-rc.4", "3.42.3", "3.42.4", "3.43.0-rc.1", "3.43.0", "3.44.0-rc.1", "3.44.0-rc.2", "3.44.0", "3.45.0-rc.2", "3.45.0-rc.3", "3.45.0", "3.46.0-rc.1", "3.46.0", "3.47.0", "3.48.0-rc.1", "3.48.0", "3.49.0-rc.1", "3.49.0-rc.2", "3.49.0", "3.50.0", "3.51.0-rc.1", "3.51.0", "3.52.0-rc.1", "3.52.0-rc.2", "3.52.0", "3.53.0-rc.1", "3.53.0-rc.2", "3.53.0", "3.54.0-rc.1", "3.54.0", "3.55.0-rc.1", "3.55.0", "3.56.0", "3.57.0", "3.58.0-rc.1", "3.58.0-rc.2", "3.58.0", "3.58.1", "3.59.0-rc.1", "3.59.0-rc.2", "3.59.0", "3.59.1", "3.60.0-rc.1", "3.60.0-rc.2", "3.60.0", "3.61.0-rc.1", "3.61.0", "3.62.0-rc.1", "3.62.0-rc.2", "3.62.0", "3.63.0-rc.2", "3.63.0", "3.64.0-rc.1", "3.64.0-rc.2", "3.64.0-rc.3", "3.64.0-rc.4", "3.64.0", "3.64.1", "3.64.2", "3.65.0-rc.1", "3.65.0", "3.66.0-rc.1", "3.66.0", "3.67.0-rc.1", "3.67.0-rc.2", "3.67.0", "3.68.0-rc.1", "3.68.0-rc.2", "3.68.0-rc.3", "3.68.0", "3.69.0", "3.69.1", "3.70.0-rc.1", "3.70.0", "3.71.0-rc.1", "3.71.0", "3.71.1", "3.72.0-rc.1", "3.72.0-rc.2", "3.72.0", "3.73.0-rc.1", "3.73.0-rc.2", "3.73.0-rc.3", "3.73.0", "3.73.1", "3.74.0-rc1", "3.74.0", "3.75.0-rc.1", "3.75.0", "3.76.0-rc.1", "3.76.0-rc.2"]
Secure versions: [3.76.0, 3.77.0-rc.1, 3.77.0, 3.77.1, 3.78.0-rc.1, 3.78.0, 3.79.0-rc.2, 3.79.0, 3.80.0-rc.1, 3.80.0-rc.2, 3.80.0, 3.80.1, 3.81.0-rc.1, 3.81.0, 3.81.1, 3.82.0-rc.1, 3.82.0, 3.83.0-rc.1, 3.83.0, 3.84.0-rc.1, 3.84.0, 3.84.1, 3.85.0-rc.0, 3.85.0-rc.1, 3.85.0, 3.86.0-rc.2, 3.86.0, 3.87.0-rc.0, 3.87.0, 3.88.0, 3.89.0-rc.0, 3.89.0, 3.90.0, 3.91.0-rc.0, 3.91.0-rc.1, 3.91.0, 3.92.0-rc.0, 3.92.0-rc.1, 3.92.0, 3.93.0-rc.0, 3.93.0, 3.94.0-rc.0, 3.94.0, 3.95.0-rc.0, 3.95.0, 3.96.0-rc.0, 3.96.0, 3.96.1, 3.97.0-rc.0, 3.97.0, 3.98.0-rc.0, 3.98.0, 3.99.0-rc.0, 3.99.0-rc.1, 3.99.0, 3.100.0-rc.0]
Recommendation: Update to version 3.99.0.

514 Other Versions

Version License Security Released
3.61.0 Apache-2.0 3 2022-11-22 - 11:42 over 1 year
3.61.0-rc.1 Apache-2.0 3 2022-11-15 - 18:07 over 1 year
3.60.0 Apache-2.0 3 2022-11-08 - 14:44 over 1 year
3.60.0-rc.2 Apache-2.0 3 2022-11-08 - 13:13 over 1 year
3.60.0-rc.1 Apache-2.0 3 2022-11-01 - 14:47 over 1 year
3.59.1 Apache-2.0 3 2022-11-01 - 09:34 over 1 year
3.59.0 Apache-2.0 3 2022-10-25 - 16:45 over 1 year
3.59.0-rc.2 Apache-2.0 3 2022-10-24 - 16:00 over 1 year
3.59.0-rc.1 Apache-2.0 3 2022-10-18 - 13:17 over 1 year
3.58.1 Apache-2.0 3 2022-10-11 - 16:54 over 1 year
3.58.0 Apache-2.0 3 2022-10-11 - 12:59 over 1 year
3.58.0-rc.2 Apache-2.0 3 2022-10-05 - 12:44 over 1 year
3.58.0-rc.1 Apache-2.0 3 2022-10-04 - 13:23 over 1 year
3.57.0 Apache-2.0 3 2022-09-28 - 14:57 over 1 year
3.56.0 Apache-2.0 3 2022-09-28 - 13:18 over 1 year
3.55.0 Apache-2.0 3 2022-09-27 - 17:13 over 1 year
3.55.0-rc.1 Apache-2.0 3 2022-09-20 - 13:22 over 1 year
3.54.0 Apache-2.0 3 2022-09-13 - 11:57 over 1 year
3.54.0-rc.1 Apache-2.0 3 2022-09-06 - 12:24 over 1 year
3.53.0 Apache-2.0 3 2022-08-31 - 15:31 over 1 year
3.53.0-rc.2 Apache-2.0 4 2022-08-25 - 15:51 over 1 year
3.53.0-rc.1 Apache-2.0 4 2022-08-23 - 10:02 over 1 year
3.52.0 Apache-2.0 4 2022-08-16 - 14:40 almost 2 years
3.52.0-rc.2 Apache-2.0 4 2022-08-12 - 12:39 almost 2 years
3.52.0-rc.1 Apache-2.0 4 2022-08-09 - 16:16 almost 2 years
3.51.0 Apache-2.0 4 2022-08-02 - 16:07 almost 2 years
3.51.0-rc.1 Apache-2.0 4 2022-07-26 - 16:54 almost 2 years
3.50.0 Apache-2.0 4 2022-07-26 - 16:38 almost 2 years
3.49.0 Apache-2.0 4 2022-07-26 - 15:26 almost 2 years
3.49.0-rc.2 Apache-2.0 4 2022-07-15 - 13:48 almost 2 years
3.49.0-rc.1 Apache-2.0 4 2022-07-12 - 13:11 almost 2 years
3.48.0 Apache-2.0 4 2022-07-05 - 13:16 almost 2 years
3.48.0-rc.1 Apache-2.0 4 2022-06-28 - 15:14 almost 2 years
3.47.0 Apache-2.0 4 2022-06-14 - 13:14 almost 2 years
3.46.0 Apache-2.0 4 2022-06-07 - 11:13 almost 2 years
3.46.0-rc.1 Apache-2.0 4 2022-05-31 - 10:43 almost 2 years
3.45.0 Apache-2.0 4 2022-05-24 - 11:59 almost 2 years
3.45.0-rc.3 Apache-2.0 4 2022-05-20 - 10:01 almost 2 years
3.45.0-rc.2 Apache-2.0 4 2022-05-17 - 18:20 about 2 years
3.44.0 Apache-2.0 4 2022-05-10 - 14:01 about 2 years
3.44.0-rc.2 Apache-2.0 4 2022-05-06 - 16:15 about 2 years
3.44.0-rc.1 Apache-2.0 4 2022-05-03 - 14:29 about 2 years
3.43.0 Apache-2.0 4 2022-04-26 - 10:39 about 2 years
3.43.0-rc.1 Apache-2.0 4 2022-04-19 - 13:56 about 2 years
3.42.4 Apache-2.0 4 2022-04-14 - 12:58 about 2 years
3.42.3 Apache-2.0 4 2022-04-12 - 09:34 about 2 years
3.42.2-rc.4 Apache-2.0 4 2022-04-11 - 10:41 about 2 years
3.42.2-rc.3 Apache-2.0 4 2022-04-08 - 11:17 about 2 years
3.42.2-rc.2 Apache-2.0 4 2022-04-06 - 10:53 about 2 years
3.42.2-rc.1 Apache-2.0 4 2022-04-05 - 17:15 about 2 years
3.42.1 Apache-2.0 4 2022-03-28 - 15:19 about 2 years
3.42.1-rc.1 Apache-2.0 4 2022-03-22 - 21:49 about 2 years
3.42.0 Apache-2.0 4 2022-03-15 - 14:33 about 2 years
3.42.0-rc.1 Apache-2.0 4 2022-03-08 - 14:56 about 2 years
3.41.1 Apache-2.0 4 2022-03-01 - 11:56 about 2 years
3.41.0 Apache-2.0 4 2022-02-28 - 16:56 about 2 years
3.41.0-rc.1 Apache-2.0 4 2022-02-22 - 13:50 about 2 years
3.40.1 Apache-2.0 4 2022-02-17 - 12:02 about 2 years
3.40.0 Apache-2.0 4 2022-02-14 - 15:29 over 2 years
3.40.0-rc.2 Apache-2.0 4 2022-02-09 - 10:28 over 2 years
3.40.0-rc.1 Apache-2.0 4 2022-02-08 - 15:42 over 2 years
3.39.1 Apache-2.0 4 2022-02-01 - 15:51 over 2 years
3.39.0 Apache-2.0 4 2022-01-31 - 14:56 over 2 years
3.39.0-rc.2 Apache-2.0 4 2022-01-26 - 18:08 over 2 years
3.39.0-rc.1 Apache-2.0 4 2022-01-26 - 17:06 over 2 years
3.38.0 Apache-2.0 4 2022-01-17 - 14:21 over 2 years
3.38.0-rc.1 Apache-2.0 4 2022-01-11 - 15:05 over 2 years
3.37.0 Apache-2.0 4 2021-12-20 - 14:15 over 2 years
3.37.0-rc.1 Apache-2.0 4 2021-12-14 - 14:45 over 2 years
3.36.1 Apache-2.0 4 2021-12-13 - 15:28 over 2 years
3.36.0 Apache-2.0 4 2021-12-06 - 15:22 over 2 years
3.36.0-rc.1 Apache-2.0 4 2021-11-30 - 18:23 over 2 years
3.35.1 Apache-2.0 4 2021-11-22 - 14:27 over 2 years
3.35.0-rc.1 Apache-2.0 4 2021-11-17 - 14:08 over 2 years
3.34.0 Apache-2.0 4 2021-11-08 - 17:45 over 2 years
3.34.0-rc.1 Apache-2.0 4 2021-11-02 - 14:20 over 2 years
3.33.0 Apache-2.0 4 2021-10-25 - 10:31 over 2 years
3.33.0-rc.2 Apache-2.0 4 2021-10-20 - 07:41 over 2 years
3.33.0-rc.1 Apache-2.0 4 2021-10-19 - 10:00 over 2 years
3.32.1 Apache-2.0 4 2021-10-12 - 07:44 over 2 years
3.32.0 Apache-2.0 4 2021-10-11 - 10:58 over 2 years
3.32.0-rc.2 Apache-2.0 3 2021-10-08 - 07:34 over 2 years
3.32.0-rc.1 Apache-2.0 3 2021-10-04 - 11:05 over 2 years
3.31.0 Apache-2.0 3 2021-09-27 - 13:33 over 2 years
3.31.0-rc.2 Apache-2.0 3 2021-09-22 - 13:36 over 2 years
3.31.0-rc.1 Apache-2.0 3 2021-09-21 - 08:43 over 2 years
3.30.0 Apache-2.0 3 2021-09-14 - 14:57 over 2 years
3.30.0-rc.2 Apache-2.0 3 2021-09-09 - 17:30 over 2 years
3.30.0-rc.1 Apache-2.0 3 2021-09-07 - 18:02 over 2 years
3.29.1 Apache-2.0 3 2021-09-13 - 11:58 over 2 years
3.29.0 Apache-2.0 3 2021-08-31 - 12:54 over 2 years
3.29.0-rc.3 Apache-2.0 3 2021-08-26 - 13:20 over 2 years
3.29.0-rc.2 Apache-2.0 3 2021-08-25 - 10:47 over 2 years
3.29.0-rc.1 Apache-2.0 3 2021-08-24 - 16:55 over 2 years
3.28.1 Apache-2.0 3 2021-08-17 - 08:41 over 2 years
3.28.0 Apache-2.0 3 2021-08-16 - 13:48 almost 3 years
3.28.0-rc.1 Apache-2.0 3 2021-08-11 - 15:03 almost 3 years
3.27.0 Apache-2.0 3 2021-08-02 - 12:07 almost 3 years
3.27.0-rc.1 Apache-2.0 3 2021-07-27 - 15:03 almost 3 years
3.26.0 Apache-2.0 3 2021-07-19 - 15:10 almost 3 years