GitHub_MCVELIST:CVE-2021-21320CVE-2021-21320 User content sandbox can be confused into opening arbitrary documents
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
38.2%
matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a blob origin that cannot access Matrix user data, so messages and secrets are not at risk. This has been fixed in version 3.15.0.
CNA Affected
[
{
"product": "matrix-react-sdk",
"vendor": "matrix-org",
"versions": [
{
"status": "affected",
"version": "< 3.15.0"
}
]
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
38.2%