Matrix Android SDK 2 is vulnerable to cross-site scripting.The vulnerability exists in multiple functions in MXMegolmDecryption.kt
due to a protocol confusion in order to send fake to-device messages which allows an attacker to inject the key backup secret during a self-verification.
CPE | Name | Operator | Version |
---|---|---|---|
matrix android sdk 2 | le | 1.4.36 | |
matrix android sdk 2 | le | 1.4.36 |
github.com/matrix-org/matrix-android-sdk2/commit/77df720a238d17308deab83ecaa37f7a4740a17e
github.com/matrix-org/matrix-android-sdk2/releases/tag/v1.5.1
github.com/matrix-org/matrix-android-sdk2/security/advisories/GHSA-fpgf-pjjv-2qgm
matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients