Matrix React Sdk
CVE-2023-30609
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload. No cross-site scripting attack is possible due to the hardcoded content security policy. Version 3.71.0 of the SDK patches over the issue. As a workaround, restarting the client will clear the HTML injection.
AnalysisAI
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-74. matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload. No cross-site scripting attack is possible due to the hardcoded content security policy. Version 3.71.0 of the SDK patches over the issue. As a workaround, restarting the client will clear the HTML injection. Affected products include: Matrix-React-Sdk Project Matrix-React-Sdk. Version information: version 3.71.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Matrix React Sdk
View allmatrix-react-sdk is a Matrix chat protocol SDK for React Javascript. Rated high severity (CVSS 8.2), this vulnerability
Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Rated high severity (CVSS
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. Rated medium severity (CV
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. Rated medium severity (CV
matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. Rated medium severity (CVSS 4.3), this vu
Share
External POC / Exploit Code
Leaving vuln.today