Plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload.
Cross-site scripting is possible by including resources from recaptcha.net
and gstatic.com
which are included in the default CSP.
Thanks to Cadence Ember for finding the injection and to S1m for finding possible XSS vectors.
Version 3.71.0 of the SDK fixes the issue.
Restarting the client will clear the injection.
CPE | Name | Operator | Version |
---|---|---|---|
matrix-react-sdk | lt | 3.71.0 |
github.com/matrix-org/matrix-react-sdk
github.com/matrix-org/matrix-react-sdk/commit/bf182bc94556849d7acdfa0e5fdea2aa129ea826
github.com/matrix-org/matrix-react-sdk/releases/tag/v3.71.0
github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-xv83-x443-7rmw
nvd.nist.gov/vuln/detail/CVE-2023-30609