CVE-2023-30609 matrix-react-sdk vulnerable to HTML injection in search results via plaintext message highlighting

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message...

CVE-2023-30609

The CVE-2023-30609 issue affects matrix-react-sdk prior to version 3.71.0, where plain text messages containing HTML tags rendered in search results are treated as HTML. Exploitation requires tricking a user into searching for a specific message containing an HTML payload; the vulnerability is mi...

CVE-2023-30609 matrix-react-sdk vulnerable to HTML injection in search results via plaintext message highlighting

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message...

CVE-2023-30609 matrix-react-sdk vulnerable to HTML injection in search results via plaintext message highlighting

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message...

CVE-2023-30609

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message...

matrix-react-skin (>=0.0.1 <=0.0.2), vector-web (=0.3.0) potentially affected by CVE-2023-30609 via matrix-react-sdk (>=0.0.1 <=0.2.0)

matrix-react-sdk NPM version =0.0.1, =0.0.1, =0.0.2 - vector-web =0.3.0 Source cves: CVE-2023-30609 Source advisory: OSV:GHSA-XV83-X443-7RMW...

element-web -- matrix-react-sdk vulnerable to HTML injection in search results via plaintext message highlighting

Matrix developers report: matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching...

Race Condition

@web3-react is vulnerable to a Race Condition. In the event that the user switches chains during the connection flow, the chainId may become outdated, making any data generated from it potentially inaccurate. An application that swaps between chains for instance, can cause the user to tokens mone...

Malicious code in react-pop-tooltip (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 82e661a58f3aee5ad272c3708af6c6e28dc3abe886645d487831298be30ff64e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2023-732 Malicious code in react-pop-tooltip (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 82e661a58f3aee5ad272c3708af6c6e28dc3abe886645d487831298be30ff64e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@aprilsacil/wallet (>=0.1.36 <=0.1.51), @bosonprotocol/react-kit (>=0.1.0-alpha.0 <=0.1.0-alpha.2) +43 more potentially affected by CVE-2023-30543 via @web3-react/metamask (>=8.0.14-beta.0 <=8.0.28-beta.0)

@web3-react/metamask NPM version =8.0.14-beta.0, =0.1.36, =0.1.0-alpha.0, =0.0.46, =0.0.70, =1.0.0, =1.0.0, =0.0.1, =1.1.0, =0.0.3, =1.0.0, =1.0.0, =0.0.6-alpha.0, =0.0.12 - @huma-finance/widgets =0.0.6-alpha.0 and more Source cves: CVE-2023-30543 Source advisory: OSV:GHSA-8PF3-6FGR-3G3G...

@aprilsacil/wallet (>=0.1.36 <=0.1.51), @chainfuse/react (>=0.0.46 <=0.1.0-dev.96) +40 more potentially affected by CVE-2023-30543 via @web3-react/walletconnect (>=8.0.23-beta.0 <=8.0.36-beta.0)

@web3-react/walletconnect NPM version =8.0.23-beta.0, =0.1.36, =0.0.46, =0.0.70, =1.0.0, =0.0.1, =1.0.0, =0.0.1, =1.1.0, =0.0.3, =1.0.0, =0.0.6-alpha.0, =0.0.12 - @huma-finance/widgets =0.0.6-alpha.0 - @huma-shan/shared =0.0.1 and more Source cves: CVE-2023-30543 Source advisory:...

@aprilsacil/wallet (>=0.1.36 <=0.1.51), @axelraag/frigg-uniswap-widgets (>=0.0.11 <=0.12.0) +35 more potentially affected by CVE-2023-30543 via @web3-react/eip1193 (>=8.0.11-beta.0 <=8.0.26-beta.0)

@web3-react/eip1193 NPM version =8.0.11-beta.0, =0.1.36, =0.0.11, =0.0.1-alpha.0, =0.0.46, =0.0.70, =1.0.0, =0.0.1, =1.1.0, =0.0.3, =0.12.0, =0.0.6-alpha.0, =0.0.12 - @huma-finance/widgets =0.0.6-alpha.0 - @huma-shan/shared =0.0.1 - @huma-shan/superfluid-widget =0.0.1 and more Source cves:...

GHSA-8PF3-6FGR-3G3G `chainId` may be outdated if user changes chains as part of connection in @web3-react

Impact chainId may be outdated if the user changes chains as part of the connection flow. This means that the value of chainId returned by useWeb3React may be incorrect. In an application, this means that any data derived from chainId could be incorrect. For example, if a swapping application...

@aprilsacil/wallet (>=0.1.36 <=0.1.51), @chainfuse/react (>=0.0.46 <=0.1.0-dev.96) +15 more potentially affected by CVE-2023-30543 via @web3-react/coinbase-wallet (>=8.0.31-beta.0 <=8.0.34-beta.0)

@web3-react/coinbase-wallet NPM version =8.0.31-beta.0, =0.1.36, =0.0.46, =0.0.70, =0.0.6-alpha.0, =0.1.0, =0.0.1, =0.1.0, =0.13.29, =0.1.20, =0.0.1, =0.0.2, =0.0.11, =0.1.31 and more Source cves: CVE-2023-30543 Source advisory: OSV:GHSA-8PF3-6FGR-3G3G...

`chainId` may be outdated if user changes chains as part of connection in @web3-react

Impact chainId may be outdated if the user changes chains as part of the connection flow. This means that the value of chainId returned by useWeb3React may be incorrect. In an application, this means that any data derived from chainId could be incorrect. For example, if a swapping application...

CVE-2023-30543

@web3-react is a framework for building Ethereum Apps . In affected versions the chainId may be outdated if the user changes chains as part of the connection flow. This means that the value of chainId returned by useWeb3React may be incorrect. In an application, this means that any data derived...

Design/Logic Flaw

@web3-react is a framework for building Ethereum Apps . In affected versions the chainId may be outdated if the user changes chains as part of the connection flow. This means that the value of chainId returned by useWeb3React may be incorrect. In an application, this means that any data derived...

CVE-2023-30543

Con concrete details: The CVE-2023-30543 entry concerns @web3-react, where chainId can become outdated during a user’s chain-switch in the connection flow. The root cause is that useWeb3React() may return an incorrect chainId, causing dependent data (e.g., wrapped token addresses) to be computed ...

CVE-2023-30543 `chainId` may be outdated if user changes chains as part of connection in @web3-react

@web3-react is a framework for building Ethereum Apps . In affected versions the chainId may be outdated if the user changes chains as part of the connection flow. This means that the value of chainId returned by useWeb3React may be incorrect. In an application, this means that any data derived...