4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
38.4%
The user content sandbox can be abused to trick users into opening unexpected documents after several user interactions. The content can be opened with a blob
origin from the Matrix client, so it is possible for a malicious document to access user messages and secrets.
This has been fixed by https://github.com/matrix-org/matrix-react-sdk/pull/5657, which is included in 3.15.0.
There are no known workarounds.
CPE | Name | Operator | Version |
---|---|---|---|
matrix-react-sdk | lt | 3.15.0 |
github.com/advisories/GHSA-52mq-6jcv-j79x
github.com/matrix-org/matrix-react-sdk/commit/b386f0c73b95ecbb6ea7f8f79c6ff5171a8dedd1
github.com/matrix-org/matrix-react-sdk/pull/5657
github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-52mq-6jcv-j79x
nvd.nist.gov/vuln/detail/CVE-2021-21320
www.npmjs.com/package/matrix-react-sdk
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
38.4%