In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the Object.prototype
, disrupting matrix-react-sdk functionality, causing denial of service and potentially affecting program logic.
(This is part 2, where CVE-2022-36060 / GHSA-2x9c-qwgf-94xr is part 1. Part 2 covers remaining vectors not covered by part 1, found in a codebase audit scheduled after part 1.)
This is fixed in matrix-react-sdk 3.69.0
None.
If you have any questions or comments about this advisory please email us at security at matrix.org.
{ "nvd_published_at": "2023-03-28T21:15:00Z", "github_reviewed_at": "2023-03-29T19:34:25Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-1321" ] }