NodeJS/matrix-react-sdk/3.76.0-rc.2
SDK for matrix.org using React
https://www.npmjs.com/package/matrix-react-sdk
Apache-2.0
1 Security Vulnerabilities
matrix-react-sdk vulnerable to XSS in Export Chat feature
- https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-c9vx-2g7w-rp65
- https://github.com/matrix-org/matrix-react-sdk/commit/22fcd34c606f32129ebc967fc21f24fb708a98b8
- https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.76.0
- https://github.com/advisories/GHSA-c9vx-2g7w-rp65
- https://nvd.nist.gov/vuln/detail/CVE-2023-37259
Description
The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored XSS.
Impact
Since the Export Chat feature generates a separate document, an attacker can only inject code run from the null
origin, restricting the impact.
However, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side.
Patches
This was patched in matrix-react-sdk 3.76.0.
Workarounds
None, other than not using the Export Chat feature.
References
N/A
514 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
0.0.1 | Apache-2.0 | 6 | 2015-10-02 - 17:54 | over 8 years |
0.0.2 | Apache-2.0 | 6 | 2015-10-28 - 18:16 | over 8 years |
0.1.0 | Apache-2.0 | 6 | 2016-02-24 - 14:17 | about 8 years |
0.2.0 | Apache-2.0 | 6 | 2016-03-11 - 14:51 | about 8 years |
0.3.0 | Apache-2.0 | 6 | 2016-03-23 - 14:01 | about 8 years |
0.3.1 | Apache-2.0 | 6 | 2016-03-23 - 14:56 | about 8 years |
0.4.0 | Apache-2.0 | 6 | 2016-03-30 - 12:25 | about 8 years |
0.5.0 | Apache-2.0 | 6 | 2016-04-19 - 12:20 | about 8 years |
0.5.1 | Apache-2.0 | 6 | 2016-04-19 - 12:35 | about 8 years |
0.5.2 | Apache-2.0 | 6 | 2016-04-22 - 10:21 | about 8 years |
0.6.0 | Apache-2.0 | 6 | 2016-06-02 - 12:38 | almost 8 years |
0.6.1 | Apache-2.0 | 6 | 2016-06-02 - 17:33 | almost 8 years |
0.6.2 | Apache-2.0 | 6 | 2016-06-02 - 17:55 | almost 8 years |
0.6.3 | Apache-2.0 | 6 | 2016-06-03 - 11:18 | almost 8 years |
0.6.4 | Apache-2.0 | 6 | 2016-08-11 - 16:37 | almost 8 years |
0.6.4-r1 | Apache-2.0 | 6 | 2016-08-12 - 09:08 | almost 8 years |
0.6.5 | Apache-2.0 | 6 | 2016-08-28 - 15:55 | over 7 years |
0.6.5-r1 | Apache-2.0 | 6 | 2016-09-01 - 21:18 | over 7 years |
0.6.5-r2 | Apache-2.0 | 6 | 2016-09-02 - 16:14 | over 7 years |
0.6.5-r3 | Apache-2.0 | 6 | 2016-09-02 - 16:17 | over 7 years |
0.7.1 | Apache-2.0 | 6 | 2016-09-21 - 10:59 | over 7 years |
0.7.2 | Apache-2.0 | 6 | 2016-09-21 - 16:28 | over 7 years |
0.7.3 | Apache-2.0 | 6 | 2016-10-05 - 15:51 | over 7 years |
0.7.4 | Apache-2.0 | 6 | 2016-10-12 - 10:47 | over 7 years |
0.7.5-rc.1 | Apache-2.0 | 6 | 2016-11-02 - 11:08 | over 7 years |
0.7.5 | Apache-2.0 | 6 | 2016-11-04 - 10:09 | over 7 years |
0.8.0 | Apache-2.0 | 6 | 2016-11-19 - 00:02 | over 7 years |
0.8.1-rc.1 | Apache-2.0 | 6 | 2016-12-05 - 17:51 | over 7 years |
0.8.1-rc.2 | Apache-2.0 | 6 | 2016-12-06 - 16:04 | over 7 years |
0.8.1 | Apache-2.0 | 6 | 2016-12-09 - 19:53 | over 7 years |
0.8.2 | Apache-2.0 | 6 | 2016-12-16 - 17:26 | over 7 years |
0.8.3 | Apache-2.0 | 6 | 2016-12-22 - 14:10 | over 7 years |
0.8.3-electron | Apache-2.0 | 6 | 2016-12-24 - 18:53 | over 7 years |
0.8.4 | Apache-2.0 | 6 | 2016-12-24 - 19:03 | over 7 years |
0.8.5-rc.1 | Apache-2.0 | 6 | 2017-01-13 - 11:14 | over 7 years |
0.8.5 | Apache-2.0 | 6 | 2017-01-16 - 13:22 | over 7 years |
0.8.6-rc.1 | Apache-2.0 | 6 | 2017-02-03 - 12:14 | over 7 years |
0.8.6-rc.2 | Apache-2.0 | 6 | 2017-02-03 - 13:07 | over 7 years |
0.8.6-rc.3 | Apache-2.0 | 6 | 2017-02-03 - 15:33 | over 7 years |
0.8.6 | Apache-2.0 | 6 | 2017-02-04 - 10:30 | over 7 years |
0.8.7-rc.1 | Apache-2.0 | 6 | 2017-04-07 - 16:11 | about 7 years |
0.8.7-rc.2 | Apache-2.0 | 6 | 2017-04-10 - 15:46 | about 7 years |
0.8.7-rc.3 | Apache-2.0 | 6 | 2017-04-10 - 15:54 | about 7 years |
0.8.7-rc.4 | Apache-2.0 | 6 | 2017-04-11 - 17:48 | about 7 years |
0.8.7 | Apache-2.0 | 6 | 2017-04-12 - 09:02 | about 7 years |
0.8.8-rc.1 | Apache-2.0 | 6 | 2017-04-21 - 17:23 | about 7 years |
0.8.8-rc.2 | Apache-2.0 | 6 | 2017-04-24 - 17:24 | about 7 years |
0.8.8 | Apache-2.0 | 6 | 2017-04-25 - 09:54 | about 7 years |
0.8.9-rc.1 | Apache-2.0 | 6 | 2017-05-19 - 09:39 | about 7 years |
0.8.9 | Apache-2.0 | 6 | 2017-05-22 - 10:37 | almost 7 years |
0.9.0-rc.1 | Apache-2.0 | 6 | 2017-06-01 - 01:16 | almost 7 years |
0.9.0-rc.2 | Apache-2.0 | 6 | 2017-06-02 - 00:14 | almost 7 years |
0.9.0 | Apache-2.0 | 6 | 2017-06-02 - 13:23 | almost 7 years |
0.9.1 | Apache-2.0 | 6 | 2017-06-02 - 21:39 | almost 7 years |
0.9.2 | Apache-2.0 | 6 | 2017-06-06 - 16:40 | almost 7 years |
0.9.3-rc.1 | Apache-2.0 | 6 | 2017-06-09 - 19:28 | almost 7 years |
0.9.3-rc.2 | Apache-2.0 | 6 | 2017-06-09 - 21:14 | almost 7 years |
0.9.3 | Apache-2.0 | 6 | 2017-06-12 - 14:51 | almost 7 years |
0.9.4 | Apache-2.0 | 6 | 2017-06-14 - 10:17 | almost 7 years |
0.9.5-rc.1 | Apache-2.0 | 6 | 2017-06-15 - 16:17 | almost 7 years |
0.9.5-rc.2 | Apache-2.0 | 6 | 2017-06-16 - 12:29 | almost 7 years |
0.9.5 | Apache-2.0 | 6 | 2017-06-19 - 12:10 | almost 7 years |
0.9.6 | Apache-2.0 | 6 | 2017-06-20 - 12:08 | almost 7 years |
0.9.7 | Apache-2.0 | 6 | 2017-06-22 - 10:57 | almost 7 years |
0.10.0-rc.1 | Apache-2.0 | 6 | 2017-08-16 - 08:58 | almost 7 years |
0.10.0-rc.2 | Apache-2.0 | 6 | 2017-08-22 - 13:11 | over 6 years |
0.10.1-rc.1 | Apache-2.0 | 6 | 2017-08-22 - 17:53 | over 6 years |
0.10.1 | Apache-2.0 | 6 | 2017-08-23 - 14:56 | over 6 years |
0.10.2 | Apache-2.0 | 6 | 2017-08-24 - 13:50 | over 6 years |
0.10.3-rc.1 | Apache-2.0 | 6 | 2017-09-01 - 15:17 | over 6 years |
0.10.3-rc.2 | Apache-2.0 | 6 | 2017-09-05 - 12:13 | over 6 years |
0.10.3 | Apache-2.0 | 6 | 2017-09-06 - 12:26 | over 6 years |
0.10.4-rc.1 | Apache-2.0 | 6 | 2017-09-19 - 09:51 | over 6 years |
0.10.4 | Apache-2.0 | 6 | 2017-09-20 - 14:13 | over 6 years |
0.10.5 | Apache-2.0 | 6 | 2017-09-21 - 17:02 | over 6 years |
0.10.6 | Apache-2.0 | 6 | 2017-09-21 - 20:47 | over 6 years |
0.10.7-rc.1 | Apache-2.0 | 6 | 2017-10-13 - 10:11 | over 6 years |
0.10.7-rc.2 | Apache-2.0 | 6 | 2017-10-13 - 14:03 | over 6 years |
0.10.7-rc.3 | Apache-2.0 | 6 | 2017-10-13 - 15:32 | over 6 years |
0.10.7 | Apache-2.0 | 6 | 2017-10-16 - 13:45 | over 6 years |
0.11.0-rc.1 | Apache-2.0 | 6 | 2017-11-10 - 13:40 | over 6 years |
0.11.0-rc.2 | Apache-2.0 | 6 | 2017-11-10 - 16:45 | over 6 years |
0.11.0-rc.3 | Apache-2.0 | 6 | 2017-11-14 - 14:17 | over 6 years |
0.11.0 | Apache-2.0 | 6 | 2017-11-15 - 11:01 | over 6 years |
0.11.1 | Apache-2.0 | 6 | 2017-11-17 - 16:04 | over 6 years |
0.11.2 | Apache-2.0 | 6 | 2017-11-28 - 10:25 | over 6 years |
0.11.3 | Apache-2.0 | 6 | 2017-12-04 - 12:24 | over 6 years |
0.11.4 | Apache-2.0 | 6 | 2018-02-09 - 12:34 | over 6 years |
0.12.0-rc.1 | Apache-2.0 | 6 | 2018-03-19 - 12:16 | about 6 years |
0.12.0-rc.2 | Apache-2.0 | 6 | 2018-03-19 - 14:59 | about 6 years |
0.12.0-rc.3 | Apache-2.0 | 6 | 2018-03-20 - 17:38 | about 6 years |
0.12.0-rc.4 | Apache-2.0 | 6 | 2018-03-22 - 13:18 | about 6 years |
0.11.4-cryptowarning.1 | Apache-2.0 | 6 | 2018-03-26 - 13:21 | about 6 years |
0.11.4-cryptowarning.2 | Apache-2.0 | 6 | 2018-03-26 - 14:40 | about 6 years |
0.12.0-rc.5 | Apache-2.0 | 6 | 2018-04-09 - 14:41 | about 6 years |
0.12.0-rc.6 | Apache-2.0 | 6 | 2018-04-09 - 16:10 | about 6 years |
0.12.0-rc.7 | Apache-2.0 | 6 | 2018-04-10 - 13:28 | about 6 years |
0.12.0 | Apache-2.0 | 6 | 2018-04-11 - 10:31 | about 6 years |
0.12.1 | Apache-2.0 | 6 | 2018-04-11 - 10:55 | about 6 years |
0.12.2 | Apache-2.0 | 6 | 2018-04-12 - 11:51 | about 6 years |