CVE-2023-30609
Summary
| CVE | CVE-2023-30609 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2023-04-25 21:15:00 UTC |
|---|
| Updated | 2023-05-08 18:05:00 UTC |
|---|
| Description | matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload. No cross-site scripting attack is possible due to the hardcoded content security policy. Version 3.71.0 of the SDK patches over the issue. As a workaround, restarting the client will clear the HTML injection. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| HTML injection in search results via plaintext message highlighting · Advisory · matrix-org/matrix-react-sdk · GitHub |
MISC |
github.com |
|
| Merge pull request from GHSA-xv83-x443-7rmw · matrix-org/matrix-react-sdk@bf182bc · GitHub |
MISC |
github.com |
|
| Release v3.71.0 · matrix-org/matrix-react-sdk · GitHub |
MISC |
github.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 502990 Alpine Linux Security Update for riot-web
- 503175 Alpine Linux Security Update for element-web
- 506035 Alpine Linux Security Update for element-web
- 691153 Free Berkeley Software Distribution (FreeBSD) Security Update for element (c676bb1b-e3f8-11ed-b37b-901b0e9408dc)
