CVE-2023-30609

2023-04-2521:15:10

CWE-74

[email protected]

web.nvd.nist.gov

matrix-react-sdk

html injection

cve-2023-30609

security patch

nvd

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L

4.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

37.4%

JSON

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload. No cross-site scripting attack is possible due to the hardcoded content security policy. Version 3.71.0 of the SDK patches over the issue. As a workaround, restarting the client will clear the HTML injection.

Affected configurations

Vulners

NVD

Node

matrix-orgmatrix_react_sdkRange<3.71.0

CPENameOperatorVersion
matrix-react-sdk_project:matrix-react-sdkmatrix-react-sdk project matrix-react-sdklt3.71.0

CPE	Name	Operator	Version
matrix-react-sdk_project:matrix-react-sdk	matrix-react-sdk project matrix-react-sdk	lt	3.71.0

CNA Affected

[
  {
    "vendor": "matrix-org",
    "product": "matrix-react-sdk",
    "versions": [
      {
        "version": "< 3.71.0",
        "status": "affected"
      }
    ]
  }
]