| |
Vulnerability CVE-2023-37259
Published: 2023-07-18
| Description: |
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored Cross site scripting (XSS). Since the Export Chat feature generates a separate document, an attacker can only inject code run from the `null` origin, restricting the impact. However, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side. This issue has been addressed in commit `22fcd34c60` which is included in release version 3.76.0. Users are advised to upgrade. The only known workaround for this issue is to disable or to not use the Export Chat feature. |
Type:
CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References: |
https://github.com/matrix-org/matrix-react-sdk/commit/22fcd34c606f32129ebc967fc21f24fb708a98b8
https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-c9vx-2g7w-rp65
|
|
|
Copyright 2026, cxsecurity.com
|
|
|
