Improper file handling in matrix-react-sdk

Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the previ...

Remote Code Execution (RCE)

matrix-react-sdk is vulnerable to remote code execution. An attacker is able to exploit the vulnerability by accessing the local file preview when uploading a malicious file...

matrix-react-skin (>=0.0.1 <=0.0.2), vector-web (=0.3.0) potentially affected by CVE-2021-32622 via matrix-react-sdk (>=0.0.1 <=0.2.0)

matrix-react-sdk NPM version =0.0.1, =0.0.1, =0.0.2 - vector-web =0.3.0 Source cves: CVE-2021-32622 Source advisory: OSV:GHSA-8796-GC9J-63RV...

CVE-2021-32622

Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the previ...

CVE-2021-32622

Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the previ...

Design/Logic Flaw

Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the previ...

CVE-2021-32622 File upload local preview can run embedded scripts after user interaction

Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the previ...

CVE-2021-32622

CVE-2021-32622 affects the Matrix-React-SDK (Matrix-React-SDK) prior to version 3.21.0. The vulnerability arises during file uploads: when a user previews an uploaded file, scripts embedded in the file can execute, but only for the local user and only after several user interactions to open the p...

Travis Ralston matrix-react-sdk 代码问题漏洞

Travis Ralston matrix-react-sdk is an open source application by Travis Ralston. Used to insert the Matrix chat/voice client into a web page. A code issue vulnerability exists in Matrix-React-SDK that arises from an improperly designed or implemented code development process for a web system or...

Sandbox Restrictions Bypass

matrix-react-sdk is vulnerable to sandbox restrictions bypass. The vulnerability exists due to the redundant lockOrigin parameter from usercontent, allowing an attacker to use the user content sandbox to trick users into opening unexpected documents with a blob origin...

Sandbox Breakout

Overview In matrix-react-sdk before version 3.15.0 the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a blob origin that cannot access Matrix user data, so messages and secrets are not at risk. Recommendation Upgrade to version 3.15...

User content sandbox can be confused into opening arbitrary documents

Impact The user content sandbox can be abused to trick users into opening unexpected documents after several user interactions. The content can be opened with a blob origin from the Matrix client, so it is possible for a malicious document to access user messages and secrets. Patches This has bee...

matrix-react-skin (>=0.0.1 <=0.0.2), vector-web (=0.3.0) potentially affected by CVE-2021-21320 via matrix-react-sdk (>=0.0.1 <=0.2.0)

matrix-react-sdk NPM version =0.0.1, =0.0.1, =0.0.2 - vector-web =0.3.0 Source cves: CVE-2021-21320 Source advisory: OSV:GHSA-52MQ-6JCV-J79X...

CVE-2021-21320

matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a blob origin that cannot access Matrix user data, so...

CVE-2021-21320

matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a blob origin that cannot access Matrix user data, so...

CVE-2021-21320

CVE-2021-21320 affects the matrix-react-sdk (Matrix React SDK) before version 3.15.0, where the user content sandbox could be abused to trigger opening unexpected documents. The issue involves a blob-origin handling scenario that, per sources, cannot access Matrix user data, so messages and secre...

CVE-2021-21320 User content sandbox can be confused into opening arbitrary documents

matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a blob origin that cannot access Matrix user data, so...

matrix-react-sdk 数据伪造问题漏洞

Travis Ralston matrix-react-sdk is an open source application by Travis Ralston. It is used to insert the Matrix chat/voice client into web pages. A security vulnerability exists in matrix-react-sdk before version 3.15.0, which stems from the possibility that user content sandboxing could be abus...