GHSA-xv83-x443-7rmw

Suggest an improvement
Source
https://github.com/advisories/GHSA-xv83-x443-7rmw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-xv83-x443-7rmw/GHSA-xv83-x443-7rmw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xv83-x443-7rmw
Aliases
Related
Published
2023-04-25T19:48:11Z
Modified
2023-11-08T04:12:25.905467Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L CVSS Calculator
Summary
HTML injection in search results via plaintext message highlighting
Details

Impact

Plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload.

Cross-site scripting is possible by including resources from recaptcha.net and gstatic.com which are included in the default CSP.

Thanks to Cadence Ember for finding the injection and to S1m for finding possible XSS vectors.

Patches

Version 3.71.0 of the SDK fixes the issue.

Workarounds

Restarting the client will clear the injection.

Database specific
{
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-25T19:48:11Z",
    "nvd_published_at": "2023-04-25T21:15:10Z",
    "cwe_ids": [
        "CWE-74",
        "CWE-79"
    ],
    "severity": "HIGH"
}
References

Affected packages

npm / matrix-react-sdk

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.71.0