5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
25.7%
matrix-media-repo is vulnerable to a Cross Site Scripting (XSS). The vulnerability is due to a lack of content-type validation, which allows an attacker to upload a SVG image containing JavaScript leading to the execution of JavaScript in the user’s browser.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/turt2live/matrix-media-repo | eq | HEAD | |
github.com/turt2live/matrix-media-repo | eq | HEAD |
developer.mozilla.org/en-US/docs/Web/SVG/Element/script
github.com/turt2live/matrix-media-repo/commit/77ec2354e8f46d5ef149d1dcaf25f51c04149137
github.com/turt2live/matrix-media-repo/commit/bf8abdd7a5371118e280c65a8e0ec2b2e9bdaf59
github.com/turt2live/matrix-media-repo/security/advisories/GHSA-5crw-6j7v-xc72