GitHub Advisory DatabaseGHSA-XV83-X443-7RMWHTML injection in search results via plaintext message highlighting
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L
0.001 Low
EPSS
Percentile
37.4%
Impact
Plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload.
Cross-site scripting is possible by including resources from recaptcha.net and gstatic.com which are included in the default CSP.
Thanks to Cadence Ember for finding the injection and to S1m for finding possible XSS vectors.
Patches
Version 3.71.0 of the SDK fixes the issue.
Workarounds
Restarting the client will clear the injection.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| matrix-react-sdk | lt | 3.71.0 |
References
github.com/advisories/GHSA-xv83-x443-7rmw
github.com/matrix-org/matrix-react-sdk/commit/bf182bc94556849d7acdfa0e5fdea2aa129ea826
github.com/matrix-org/matrix-react-sdk/releases/tag/v3.71.0
github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-xv83-x443-7rmw
nvd.nist.gov/vuln/detail/CVE-2023-30609
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L
0.001 Low
EPSS
Percentile
37.4%