CVE-2021-21320
Summary
| CVE | CVE-2021-21320 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2021-03-02 03:15:00 UTC |
|---|
| Updated | 2021-03-08 19:39:00 UTC |
|---|
| Description | matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a `blob` origin that cannot access Matrix user data, so messages and secrets are not at risk. This has been fixed in version 3.15.0. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| User content sandbox can be confused into opening arbitrary documents · Advisory · matrix-org/matrix-react-sdk · GitHub |
CONFIRM |
github.com |
Third Party Advisory |
| Merge pull request #5657 from matrix-org/t3chguy/usercontent · matrix-org/matrix-react-sdk@b386f0c · GitHub |
MISC |
github.com |
Patch, Third Party Advisory |
| matrix-react-sdk |
MISC |
www.npmjs.com |
Product, Third Party Advisory |
| Remove redundant lockOrigin parameter from usercontent by t3chguy · Pull Request #5657 · matrix-org/matrix-react-sdk · GitHub |
MISC |
github.com |
Patch, Third Party Advisory |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 982754 Nodejs (npm) Security Update for matrix-react-sdk (GHSA-52mq-6jcv-j79x)
