3625 matches found
Cross-site Scripting (XSS)
Matrix Android SDK 2 is vulnerable to cross-site scripting.The vulnerability exists in multiple functions in MXMegolmDecryption.kt due to a protocol confusion in order to send fake to-device messages which allows an attacker to inject the key backup secret during a self-verification...
CVE-2022-39250 Matrix JavaScript SDK vulnerable to key/device identifier confusion in SAS verification
Matrix JavaScript SDK is the Matrix Client-Server software development kit SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one o...
PT-2022-24846 · Unknown · Matrix-Nio
Name of the Vulnerable Software and Affected Versions: matrix-nio versions prior to 0.20 Description: The issue arises when a user requests a room key from their devices. The software remembers the request but fails to check the origin of the forwarded room key, allowing homeservers to potentiall...
CVE-2022-39250
Matrix JavaScript SDK is the Matrix Client-Server software development kit SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one o...
Matrix 安全漏洞
Matrix is an ambitious new ecosystem for open federated instant messaging and VoIP. A security vulnerability in Matrix matrix-nio prior to version 0.19 stems from a vulnerability that allows a malicious home server to insert a room key of questionable validity into the keystore under certain...
Matrix 安全漏洞
Matrix is an ambitious new ecosystem for open federated instant messaging and VoIP. A security vulnerability in Matrix matrix-sdk-crypto prior to version 0.5 stems from a vulnerability that allows a malicious home server to insert a room key of questionable validity into the keystore under certai...
Matrix 授权问题漏洞
Matrix is an ambitious new ecosystem for open federated instant messaging and VoIP. A security vulnerability exists in the Matrix JavaScript SDK prior to version 19.7.0, which arises from checking and signing a user's identity and device in two separate steps and not adequately fixing the key to ...
CVE-2022-39250 Matrix JavaScript SDK vulnerable to key/device identifier confusion in SAS verification
Matrix JavaScript SDK is the Matrix Client-Server software development kit SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one o...
Vulnerabilities fixed in Matrix SDKs
Matrix has fixed vulnerabilities in the following SDKs; matrix-js-sdk, matrix-ios-sdk and matrix-android-sdk2. These SDKs are used in a number of Matrix-based clients including the popular Element. The vulnerabilities allow a malicious able to perform attacks that result in the following categori...
CVE-2022-39250 Matrix JavaScript SDK vulnerable to key/device identifier confusion in SAS verification
Matrix JavaScript SDK is the Matrix Client-Server software development kit SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one o...
CVE-2022-39250
CVE-2022-39250 corresponds to a vulnerability in the Matrix JavaScript SDK (matrix-js-sdk) prior to version 19.7.0. The issue arises from checking and signing user identities and devices in two separate steps, and not consistently fixing the signing key between steps, enabling a malicious homeser...
CVE-2022-39250
Matrix JavaScript SDK is the Matrix Client-Server software development kit SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one o...
Cross site request forgery (csrf)
nheko is a desktop client for the Matrix communication application. All versions below 0.10.2 are vulnerable homeservers inserting malicious secrets, which could lead to man-in-the-middle attacks. Users can upgrade to version 0.10.2 to protect against this issue. As a workaround, one may apply th...
CVE-2022-39264
nheko is a desktop client for the Matrix communication application. All versions below 0.10.2 are vulnerable homeservers inserting malicious secrets, which could lead to man-in-the-middle attacks. Users can upgrade to version 0.10.2 to protect against this issue. As a workaround, one may apply th...
CVE-2022-39257
Matrix iOS SDK allows developers to build iOS apps compatible with Matrix. Prior to version 0.23.19, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this m...
CVE-2022-39255
Matrix iOS SDK allows developers to build iOS apps compatible with Matrix. Prior to version 0.23.19, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a...
Design/Logic Flaw
Matrix iOS SDK allows developers to build iOS apps compatible with Matrix. Prior to version 0.23.19, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this m...
Type confusion
Matrix iOS SDK allows developers to build iOS apps compatible with Matrix. Prior to version 0.23.19, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a...
CVE-2022-39257
The CVE concerns Matrix iOS SDK prior to 0.23.19, where a too-permissive key forwarding policy allows an attacker coordinating with a malicious homeserver to create messages that appear to come from another user. The SDK now enforces stricter forwarding: forwarded keys are accepted only in respon...
CVE-2022-39257 Matrix iOS SDK vulnerable to impersonation via forwarded Megolm sessions
Matrix iOS SDK allows developers to build iOS apps compatible with Matrix. Prior to version 0.23.19, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this m...