HTML injection in search results via plaintext message highlighting

GHSA-xv83-x443-7rmw · CVE-2023-30609

Published Apr 25, 2023 · Modified Nov 8, 2023

Description

Impact

Plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload.

Cross-site scripting is possible by including resources from recaptcha.net and gstatic.com which are included in the default CSP.

Thanks to Cadence Ember for finding the injection and to S1m for finding possible XSS vectors.

Patches

Version 3.71.0 of the SDK fixes the issue.

Workarounds

Restarting the client will clear the injection.

References

WEB https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-xv83-x443-7rmw
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-30609
WEB https://github.com/matrix-org/matrix-react-sdk/commit/bf182bc94556849d7acdfa0e5fdea2aa129ea826
PACKAGE https://github.com/matrix-org/matrix-react-sdk
WEB https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.71.0

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes