NodeJS/matrix-react-sdk/2.2.2
SDK for matrix.org using React
Repo Link:
https://www.npmjs.com/package/matrix-react-sdk
License:
Apache-2.0
7 Security Vulnerabilities
Published date: 2023-03-28T19:57:57Z
CVE: CVE-2022-36060
Impact
Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered.
Patches
This is fixed in matrix-react-sdk 3.53.0
Workarounds
There are no workarounds. Please upgrade immediately.
References
https://learn.snyk.io/lessons/prototype-pollution/javascript/
For more information
If you have any questions or comments about this advisory please email us at security at matrix.org .
Affected versions:
["0.0.1", "0.0.2", "0.1.0", "0.2.0", "0.3.0", "0.3.1", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.6.2", "0.6.3", "0.6.4", "0.6.4-r1", "0.6.5", "0.6.5-r1", "0.6.5-r2", "0.6.5-r3", "0.7.1", "0.7.2", "0.7.3", "0.7.4", "0.7.5-rc.1", "0.7.5", "0.8.0", "0.8.1-rc.1", "0.8.1-rc.2", "0.8.1", "0.8.2", "0.8.3", "0.8.3-electron", "0.8.4", "0.8.5-rc.1", "0.8.5", "0.8.6-rc.1", "0.8.6-rc.2", "0.8.6-rc.3", "0.8.6", "0.8.7-rc.1", "0.8.7-rc.2", "0.8.7-rc.3", "0.8.7-rc.4", "0.8.7", "0.8.8-rc.1", "0.8.8-rc.2", "0.8.8", "0.8.9-rc.1", "0.8.9", "0.9.0-rc.1", "0.9.0-rc.2", "0.9.0", "0.9.1", "0.9.2", "0.9.3-rc.1", "0.9.3-rc.2", "0.9.3", "0.9.4", "0.9.5-rc.1", "0.9.5-rc.2", "0.9.5", "0.9.6", "0.9.7", "0.10.0-rc.1", "0.10.0-rc.2", "0.10.1-rc.1", "0.10.1", "0.10.2", "0.10.3-rc.1", "0.10.3-rc.2", "0.10.3", "0.10.4-rc.1", "0.10.4", "0.10.5", "0.10.6", "0.10.7-rc.1", "0.10.7-rc.2", "0.10.7-rc.3", "0.10.7", "0.11.0-rc.1", "0.11.0-rc.2", "0.11.0-rc.3", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.11.4", "0.12.0-rc.1", "0.12.0-rc.2", "0.12.0-rc.3", "0.12.0-rc.4", "0.11.4-cryptowarning.1", "0.11.4-cryptowarning.2", "0.12.0-rc.5", "0.12.0-rc.6", "0.12.0-rc.7", "0.12.0", "0.12.1", "0.12.2", "0.12.3-rc.1", "0.12.3-rc.2", "0.12.3-rc.3", "0.12.3", "0.12.4-rc.1", "0.12.4-rc.2", "0.12.4-rc.3", "0.12.4-rc.4", "0.12.4-rc.5", "0.12.4-rc.6", "0.12.4", "0.12.5", "0.12.6-rc.1", "0.12.6", "0.12.7-rc.1", "0.12.7", "0.12.8-rc.1", "0.12.8-rc.2", "0.12.8", "0.12.9-rc.1", "0.12.9-rc.2", "0.12.9", "0.13.0-rc.1", "0.13.0-rc.2", "0.13.0", "0.13.1-rc.1", "0.13.1", "0.13.2", "0.13.3-rc.1", "0.13.3-rc.2", "0.13.3", "0.13.4-rc.1", "0.13.4", "0.13.5-rc.1", "0.13.5", "0.13.6", "0.14.0-rc.1", "0.14.0", "0.14.1", "0.14.2-rc.1", "0.14.2", "0.14.3", "0.14.4", "0.14.5-rc.1", "0.14.5-rc.2", "0.14.5", "0.14.6", "0.14.7-rc.1", "0.14.7-rc.2", "0.14.7", "0.14.8-rc.1", "0.14.8", "1.0.0-rc.1", "1.0.0-rc.2", "1.0.0", "1.0.1", "1.0.2-rc.1", "1.0.2-rc.2", "1.0.2-rc.3", "1.0.2-rc.4", "1.0.2", "1.0.3", "1.0.4-rc.1", "1.0.4", "1.0.5", "1.0.6-rc.1", "1.0.6", "1.0.7", "1.1.0-rc.1", "1.1.0", "1.1.1", "1.1.2", "1.2.0-rc.1", "1.2.0", "1.2.1", "1.2.2-rc.1", "1.2.2-rc.2", "1.2.2", "1.3.0-rc.1", "1.3.0", "1.3.1", "1.4.0-rc.1", "1.4.0-rc.2", "1.4.0-rc.3", "1.4.0", "1.5.0-rc.1", "1.5.0", "1.5.1", "1.5.2-rc.1", "1.5.2", "1.5.3-rc.1", "1.5.3-rc.2", "1.5.3-rc.3", "1.5.3", "1.6.0-rc.1", "1.6.0-rc.2", "1.6.0", "1.6.1", "1.6.2-rc.1", "1.6.2", "1.7.0-rc.1", "1.7.0", "1.7.1-rc.1", "1.7.1-rc.2", "1.7.1", "1.7.2", "1.7.3-rc.1", "1.7.3-rc.2", "1.7.3", "1.7.4", "1.7.5-rc.1", "1.7.5", "1.7.6-rc.1", "1.7.6-rc.2", "1.7.6", "2.0.0-rc.2", "2.0.0", "2.1.0-rc.1", "2.1.0-rc.2", "2.1.0", "2.1.1", "2.2.0-rc.1", "2.2.0", "2.2.1", "2.2.2", "2.2.3-rc.1", "2.2.3", "2.3.0-rc.1", "2.3.0", "2.3.1", "2.4.0-rc.1", "2.5.0-rc.1", "2.5.0-rc.2", "2.5.0-rc.3", "2.5.0-rc.4", "2.5.0-rc.5", "2.5.0-rc.6", "2.5.0", "2.6.0-rc.1", "2.6.0", "2.6.1", "2.7.0-rc.1", "2.7.0-rc.2", "2.7.0", "2.7.1", "2.7.2", "2.8.0-rc.1", "2.8.0", "2.8.1", "2.9.0-rc.1", "2.9.0", "2.10.0", "2.10.1", "3.0.0", "3.1.0-rc.1", "3.1.0", "3.2.0-rc.1", "3.2.0", "3.3.0-rc.1", "3.3.0", "3.4.0-rc.1", "3.4.0", "3.4.1", "3.5.0-rc.1", "3.5.0", "3.6.0-rc.1", "3.6.0", "3.6.1", "3.7.0-rc.1", "3.7.0-rc.2", "3.7.0", "3.7.1", "3.8.0-rc.1", "3.8.0", "3.9.0-rc.1", "3.9.0", "3.10.0-rc.1", "3.10.0", "3.11.0-rc.1", "3.11.0-rc.2", "3.11.0", "3.11.1", "3.12.0-rc.1", "3.12.0", "3.12.1", "3.13.0-rc.1", "3.13.0", "3.13.1", "3.14.0-rc.1", "3.14.0", "3.15.0-rc.1", "3.15.0", "3.16.0-rc.1", "3.16.0-rc.2", "3.16.0", "3.17.0-rc.1", "3.17.0", "3.18.0-rc.1", "3.18.0", "3.19.0-rc.1", "3.19.0", "3.20.0-rc.1", "3.20.0", "3.21.0-rc.1", "3.21.0", "3.22.0-rc.1", "3.22.0", "3.23.0-rc.1", "3.23.0", "3.24.0-rc.1", "3.24.0", "3.25.0-rc.1", "3.25.0", "3.26.0-rc.1", "3.26.0", "3.27.0-rc.1", "3.27.0", "3.28.0-rc.1", "3.28.0", "3.28.1", "3.29.0-rc.1", "3.29.0-rc.2", "3.29.0-rc.3", "3.29.0", "3.30.0-rc.1", "3.30.0-rc.2", "3.29.1", "3.30.0", "3.31.0-rc.1", "3.31.0-rc.2", "3.31.0", "3.32.0-rc.1", "3.32.0-rc.2", "3.32.0", "3.32.1", "3.33.0-rc.1", "3.33.0-rc.2", "3.33.0", "3.34.0-rc.1", "3.34.0", "3.35.0-rc.1", "3.35.1", "3.36.0-rc.1", "3.36.0", "3.36.1", "3.37.0-rc.1", "3.37.0", "3.38.0-rc.1", "3.38.0", "3.39.0-rc.1", "3.39.0-rc.2", "3.39.0", "3.39.1", "3.40.0-rc.1", "3.40.0-rc.2", "3.40.0", "3.40.1", "3.41.0-rc.1", "3.41.0", "3.41.1", "3.42.0-rc.1", "3.42.0", "3.42.1-rc.1", "3.42.1", "3.42.2-rc.1", "3.42.2-rc.2", "3.42.2-rc.3", "3.42.2-rc.4", "3.42.3", "3.42.4", "3.43.0-rc.1", "3.43.0", "3.44.0-rc.1", "3.44.0-rc.2", "3.44.0", "3.45.0-rc.2", "3.45.0-rc.3", "3.45.0", "3.46.0-rc.1", "3.46.0", "3.47.0", "3.48.0-rc.1", "3.48.0", "3.49.0-rc.1", "3.49.0-rc.2", "3.49.0", "3.50.0", "3.51.0-rc.1", "3.51.0", "3.52.0-rc.1", "3.52.0-rc.2", "3.52.0", "3.53.0-rc.1", "3.53.0-rc.2"]
Secure versions:
[3.105.1, 3.106.0-rc.1, 3.106.0, 3.107.0, 3.108.0-rc.0, 3.108.0, 3.109.0-rc.0, 3.109.0, 3.110.0-rc.1, 3.110.0, 3.111.0, 3.112.0-rc.0, 3.112.0, 3.113.0, 3.114.0-rc.0, 3.114.0]
Recommendation:
Update to version 3.114.0.
Published date: 2021-03-03T02:23:56Z
CVE: CVE-2021-21320
Impact
The user content sandbox can be abused to trick users into opening unexpected documents after several user interactions. The content can be opened with a blob
origin from the Matrix client, so it is possible for a malicious document to access user messages and secrets.
Patches
This has been fixed by https://github.com/matrix-org/matrix-react-sdk/pull/5657 , which is included in 3.15.0.
Workarounds
There are no known workarounds.
Affected versions:
["0.0.1", "0.0.2", "0.1.0", "0.2.0", "0.3.0", "0.3.1", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.6.2", "0.6.3", "0.6.4", "0.6.4-r1", "0.6.5", "0.6.5-r1", "0.6.5-r2", "0.6.5-r3", "0.7.1", "0.7.2", "0.7.3", "0.7.4", "0.7.5-rc.1", "0.7.5", "0.8.0", "0.8.1-rc.1", "0.8.1-rc.2", "0.8.1", "0.8.2", "0.8.3", "0.8.3-electron", "0.8.4", "0.8.5-rc.1", "0.8.5", "0.8.6-rc.1", "0.8.6-rc.2", "0.8.6-rc.3", "0.8.6", "0.8.7-rc.1", "0.8.7-rc.2", "0.8.7-rc.3", "0.8.7-rc.4", "0.8.7", "0.8.8-rc.1", "0.8.8-rc.2", "0.8.8", "0.8.9-rc.1", "0.8.9", "0.9.0-rc.1", "0.9.0-rc.2", "0.9.0", "0.9.1", "0.9.2", "0.9.3-rc.1", "0.9.3-rc.2", "0.9.3", "0.9.4", "0.9.5-rc.1", "0.9.5-rc.2", "0.9.5", "0.9.6", "0.9.7", "0.10.0-rc.1", "0.10.0-rc.2", "0.10.1-rc.1", "0.10.1", "0.10.2", "0.10.3-rc.1", "0.10.3-rc.2", "0.10.3", "0.10.4-rc.1", "0.10.4", "0.10.5", "0.10.6", "0.10.7-rc.1", "0.10.7-rc.2", "0.10.7-rc.3", "0.10.7", "0.11.0-rc.1", "0.11.0-rc.2", "0.11.0-rc.3", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.11.4", "0.12.0-rc.1", "0.12.0-rc.2", "0.12.0-rc.3", "0.12.0-rc.4", "0.11.4-cryptowarning.1", "0.11.4-cryptowarning.2", "0.12.0-rc.5", "0.12.0-rc.6", "0.12.0-rc.7", "0.12.0", "0.12.1", "0.12.2", "0.12.3-rc.1", "0.12.3-rc.2", "0.12.3-rc.3", "0.12.3", "0.12.4-rc.1", "0.12.4-rc.2", "0.12.4-rc.3", "0.12.4-rc.4", "0.12.4-rc.5", "0.12.4-rc.6", "0.12.4", "0.12.5", "0.12.6-rc.1", "0.12.6", "0.12.7-rc.1", "0.12.7", "0.12.8-rc.1", "0.12.8-rc.2", "0.12.8", "0.12.9-rc.1", "0.12.9-rc.2", "0.12.9", "0.13.0-rc.1", "0.13.0-rc.2", "0.13.0", "0.13.1-rc.1", "0.13.1", "0.13.2", "0.13.3-rc.1", "0.13.3-rc.2", "0.13.3", "0.13.4-rc.1", "0.13.4", "0.13.5-rc.1", "0.13.5", "0.13.6", "0.14.0-rc.1", "0.14.0", "0.14.1", "0.14.2-rc.1", "0.14.2", "0.14.3", "0.14.4", "0.14.5-rc.1", "0.14.5-rc.2", "0.14.5", "0.14.6", "0.14.7-rc.1", "0.14.7-rc.2", "0.14.7", "0.14.8-rc.1", "0.14.8", "1.0.0-rc.1", "1.0.0-rc.2", "1.0.0", "1.0.1", "1.0.2-rc.1", "1.0.2-rc.2", "1.0.2-rc.3", "1.0.2-rc.4", "1.0.2", "1.0.3", "1.0.4-rc.1", "1.0.4", "1.0.5", "1.0.6-rc.1", "1.0.6", "1.0.7", "1.1.0-rc.1", "1.1.0", "1.1.1", "1.1.2", "1.2.0-rc.1", "1.2.0", "1.2.1", "1.2.2-rc.1", "1.2.2-rc.2", "1.2.2", "1.3.0-rc.1", "1.3.0", "1.3.1", "1.4.0-rc.1", "1.4.0-rc.2", "1.4.0-rc.3", "1.4.0", "1.5.0-rc.1", "1.5.0", "1.5.1", "1.5.2-rc.1", "1.5.2", "1.5.3-rc.1", "1.5.3-rc.2", "1.5.3-rc.3", "1.5.3", "1.6.0-rc.1", "1.6.0-rc.2", "1.6.0", "1.6.1", "1.6.2-rc.1", "1.6.2", "1.7.0-rc.1", "1.7.0", "1.7.1-rc.1", "1.7.1-rc.2", "1.7.1", "1.7.2", "1.7.3-rc.1", "1.7.3-rc.2", "1.7.3", "1.7.4", "1.7.5-rc.1", "1.7.5", "1.7.6-rc.1", "1.7.6-rc.2", "1.7.6", "2.0.0-rc.2", "2.0.0", "2.1.0-rc.1", "2.1.0-rc.2", "2.1.0", "2.1.1", "2.2.0-rc.1", "2.2.0", "2.2.1", "2.2.2", "2.2.3-rc.1", "2.2.3", "2.3.0-rc.1", "2.3.0", "2.3.1", "2.4.0-rc.1", "2.5.0-rc.1", "2.5.0-rc.2", "2.5.0-rc.3", "2.5.0-rc.4", "2.5.0-rc.5", "2.5.0-rc.6", "2.5.0", "2.6.0-rc.1", "2.6.0", "2.6.1", "2.7.0-rc.1", "2.7.0-rc.2", "2.7.0", "2.7.1", "2.7.2", "2.8.0-rc.1", "2.8.0", "2.8.1", "2.9.0-rc.1", "2.9.0", "2.10.0", "2.10.1", "3.0.0", "3.1.0-rc.1", "3.1.0", "3.2.0-rc.1", "3.2.0", "3.3.0-rc.1", "3.3.0", "3.4.0-rc.1", "3.4.0", "3.4.1", "3.5.0-rc.1", "3.5.0", "3.6.0-rc.1", "3.6.0", "3.6.1", "3.7.0-rc.1", "3.7.0-rc.2", "3.7.0", "3.7.1", "3.8.0-rc.1", "3.8.0", "3.9.0-rc.1", "3.9.0", "3.10.0-rc.1", "3.10.0", "3.11.0-rc.1", "3.11.0-rc.2", "3.11.0", "3.11.1", "3.12.0-rc.1", "3.12.0", "3.12.1", "3.13.0-rc.1", "3.13.0", "3.13.1", "3.14.0-rc.1", "3.14.0", "3.15.0-rc.1"]
Secure versions:
[3.105.1, 3.106.0-rc.1, 3.106.0, 3.107.0, 3.108.0-rc.0, 3.108.0, 3.109.0-rc.0, 3.109.0, 3.110.0-rc.1, 3.110.0, 3.111.0, 3.112.0-rc.0, 3.112.0, 3.113.0, 3.114.0-rc.0, 3.114.0]
Recommendation:
Update to version 3.114.0.
Published date: 2023-03-29T19:34:25Z
CVE: CVE-2023-28103
Impact
In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the Object.prototype
, disrupting matrix-react-sdk functionality, causing denial of service and potentially affecting program logic.
(This is part 2, where CVE-2022-36060 / GHSA-2x9c-qwgf-94xr is part 1. Part 2 covers remaining vectors not covered by part 1, found in a codebase audit scheduled after part 1.)
Patches
This is fixed in matrix-react-sdk 3.69.0
Workarounds
None.
References
Release blog post
The advisory GHSA-2x9c-qwgf-94xr (CVE-2022-36060 ) refers to an initial set of vulnerable locations discovered and patched in matrix-react-sdk 3.53.0. We opted not to disclose that advisory while we performed an audit of the codebase and are now disclosing it jointly with this one.
For more information
If you have any questions or comments about this advisory please email us at security at matrix.org .
Affected versions:
["0.0.1", "0.0.2", "0.1.0", "0.2.0", "0.3.0", "0.3.1", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.6.2", "0.6.3", "0.6.4", "0.6.4-r1", "0.6.5", "0.6.5-r1", "0.6.5-r2", "0.6.5-r3", "0.7.1", "0.7.2", "0.7.3", "0.7.4", "0.7.5-rc.1", "0.7.5", "0.8.0", "0.8.1-rc.1", "0.8.1-rc.2", "0.8.1", "0.8.2", "0.8.3", "0.8.3-electron", "0.8.4", "0.8.5-rc.1", "0.8.5", "0.8.6-rc.1", "0.8.6-rc.2", "0.8.6-rc.3", "0.8.6", "0.8.7-rc.1", "0.8.7-rc.2", "0.8.7-rc.3", "0.8.7-rc.4", "0.8.7", "0.8.8-rc.1", "0.8.8-rc.2", "0.8.8", "0.8.9-rc.1", "0.8.9", "0.9.0-rc.1", "0.9.0-rc.2", "0.9.0", "0.9.1", "0.9.2", "0.9.3-rc.1", "0.9.3-rc.2", "0.9.3", "0.9.4", "0.9.5-rc.1", "0.9.5-rc.2", "0.9.5", "0.9.6", "0.9.7", "0.10.0-rc.1", "0.10.0-rc.2", "0.10.1-rc.1", "0.10.1", "0.10.2", "0.10.3-rc.1", "0.10.3-rc.2", "0.10.3", "0.10.4-rc.1", "0.10.4", "0.10.5", "0.10.6", "0.10.7-rc.1", "0.10.7-rc.2", "0.10.7-rc.3", "0.10.7", "0.11.0-rc.1", "0.11.0-rc.2", "0.11.0-rc.3", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.11.4", "0.12.0-rc.1", "0.12.0-rc.2", "0.12.0-rc.3", "0.12.0-rc.4", "0.11.4-cryptowarning.1", "0.11.4-cryptowarning.2", "0.12.0-rc.5", "0.12.0-rc.6", "0.12.0-rc.7", "0.12.0", "0.12.1", "0.12.2", "0.12.3-rc.1", "0.12.3-rc.2", "0.12.3-rc.3", "0.12.3", "0.12.4-rc.1", "0.12.4-rc.2", "0.12.4-rc.3", "0.12.4-rc.4", "0.12.4-rc.5", "0.12.4-rc.6", "0.12.4", "0.12.5", "0.12.6-rc.1", "0.12.6", "0.12.7-rc.1", "0.12.7", "0.12.8-rc.1", "0.12.8-rc.2", "0.12.8", "0.12.9-rc.1", "0.12.9-rc.2", "0.12.9", "0.13.0-rc.1", "0.13.0-rc.2", "0.13.0", "0.13.1-rc.1", "0.13.1", "0.13.2", "0.13.3-rc.1", "0.13.3-rc.2", "0.13.3", "0.13.4-rc.1", "0.13.4", "0.13.5-rc.1", "0.13.5", "0.13.6", "0.14.0-rc.1", "0.14.0", "0.14.1", "0.14.2-rc.1", "0.14.2", "0.14.3", "0.14.4", "0.14.5-rc.1", "0.14.5-rc.2", "0.14.5", "0.14.6", "0.14.7-rc.1", "0.14.7-rc.2", "0.14.7", "0.14.8-rc.1", "0.14.8", "1.0.0-rc.1", "1.0.0-rc.2", "1.0.0", "1.0.1", "1.0.2-rc.1", "1.0.2-rc.2", "1.0.2-rc.3", "1.0.2-rc.4", "1.0.2", "1.0.3", "1.0.4-rc.1", "1.0.4", "1.0.5", "1.0.6-rc.1", "1.0.6", "1.0.7", "1.1.0-rc.1", "1.1.0", "1.1.1", "1.1.2", "1.2.0-rc.1", "1.2.0", "1.2.1", "1.2.2-rc.1", "1.2.2-rc.2", "1.2.2", "1.3.0-rc.1", "1.3.0", "1.3.1", "1.4.0-rc.1", "1.4.0-rc.2", "1.4.0-rc.3", "1.4.0", "1.5.0-rc.1", "1.5.0", "1.5.1", "1.5.2-rc.1", "1.5.2", "1.5.3-rc.1", "1.5.3-rc.2", "1.5.3-rc.3", "1.5.3", "1.6.0-rc.1", "1.6.0-rc.2", "1.6.0", "1.6.1", "1.6.2-rc.1", "1.6.2", "1.7.0-rc.1", "1.7.0", "1.7.1-rc.1", "1.7.1-rc.2", "1.7.1", "1.7.2", "1.7.3-rc.1", "1.7.3-rc.2", "1.7.3", "1.7.4", "1.7.5-rc.1", "1.7.5", "1.7.6-rc.1", "1.7.6-rc.2", "1.7.6", "2.0.0-rc.2", "2.0.0", "2.1.0-rc.1", "2.1.0-rc.2", "2.1.0", "2.1.1", "2.2.0-rc.1", "2.2.0", "2.2.1", "2.2.2", "2.2.3-rc.1", "2.2.3", "2.3.0-rc.1", "2.3.0", "2.3.1", "2.4.0-rc.1", "2.5.0-rc.1", "2.5.0-rc.2", "2.5.0-rc.3", "2.5.0-rc.4", "2.5.0-rc.5", "2.5.0-rc.6", "2.5.0", "2.6.0-rc.1", "2.6.0", "2.6.1", "2.7.0-rc.1", "2.7.0-rc.2", "2.7.0", "2.7.1", "2.7.2", "2.8.0-rc.1", "2.8.0", "2.8.1", "2.9.0-rc.1", "2.9.0", "2.10.0", "2.10.1", "3.0.0", "3.1.0-rc.1", "3.1.0", "3.2.0-rc.1", "3.2.0", "3.3.0-rc.1", "3.3.0", "3.4.0-rc.1", "3.4.0", "3.4.1", "3.5.0-rc.1", "3.5.0", "3.6.0-rc.1", "3.6.0", "3.6.1", "3.7.0-rc.1", "3.7.0-rc.2", "3.7.0", "3.7.1", "3.8.0-rc.1", "3.8.0", "3.9.0-rc.1", "3.9.0", "3.10.0-rc.1", "3.10.0", "3.11.0-rc.1", "3.11.0-rc.2", "3.11.0", "3.11.1", "3.12.0-rc.1", "3.12.0", "3.12.1", "3.13.0-rc.1", "3.13.0", "3.13.1", "3.14.0-rc.1", "3.14.0", "3.15.0-rc.1", "3.15.0", "3.16.0-rc.1", "3.16.0-rc.2", "3.16.0", "3.17.0-rc.1", "3.17.0", "3.18.0-rc.1", "3.18.0", "3.19.0-rc.1", "3.19.0", "3.20.0-rc.1", "3.20.0", "3.21.0-rc.1", "3.21.0", "3.22.0-rc.1", "3.22.0", "3.23.0-rc.1", "3.23.0", "3.24.0-rc.1", "3.24.0", "3.25.0-rc.1", "3.25.0", "3.26.0-rc.1", "3.26.0", "3.27.0-rc.1", "3.27.0", "3.28.0-rc.1", "3.28.0", "3.28.1", "3.29.0-rc.1", "3.29.0-rc.2", "3.29.0-rc.3", "3.29.0", "3.30.0-rc.1", "3.30.0-rc.2", "3.29.1", "3.30.0", "3.31.0-rc.1", "3.31.0-rc.2", "3.31.0", "3.32.0-rc.1", "3.32.0-rc.2", "3.32.0", "3.32.1", "3.33.0-rc.1", "3.33.0-rc.2", "3.33.0", "3.34.0-rc.1", "3.34.0", "3.35.0-rc.1", "3.35.1", "3.36.0-rc.1", "3.36.0", "3.36.1", "3.37.0-rc.1", "3.37.0", "3.38.0-rc.1", "3.38.0", "3.39.0-rc.1", "3.39.0-rc.2", "3.39.0", "3.39.1", "3.40.0-rc.1", "3.40.0-rc.2", "3.40.0", "3.40.1", "3.41.0-rc.1", "3.41.0", "3.41.1", "3.42.0-rc.1", "3.42.0", "3.42.1-rc.1", "3.42.1", "3.42.2-rc.1", "3.42.2-rc.2", "3.42.2-rc.3", "3.42.2-rc.4", "3.42.3", "3.42.4", "3.43.0-rc.1", "3.43.0", "3.44.0-rc.1", "3.44.0-rc.2", "3.44.0", "3.45.0-rc.2", "3.45.0-rc.3", "3.45.0", "3.46.0-rc.1", "3.46.0", "3.47.0", "3.48.0-rc.1", "3.48.0", "3.49.0-rc.1", "3.49.0-rc.2", "3.49.0", "3.50.0", "3.51.0-rc.1", "3.51.0", "3.52.0-rc.1", "3.52.0-rc.2", "3.52.0", "3.53.0-rc.1", "3.53.0-rc.2", "3.53.0", "3.54.0-rc.1", "3.54.0", "3.55.0-rc.1", "3.55.0", "3.56.0", "3.57.0", "3.58.0-rc.1", "3.58.0-rc.2", "3.58.0", "3.58.1", "3.59.0-rc.1", "3.59.0-rc.2", "3.59.0", "3.59.1", "3.60.0-rc.1", "3.60.0-rc.2", "3.60.0", "3.61.0-rc.1", "3.61.0", "3.62.0-rc.1", "3.62.0-rc.2", "3.62.0", "3.63.0-rc.2", "3.63.0", "3.64.0-rc.1", "3.64.0-rc.2", "3.64.0-rc.3", "3.64.0-rc.4", "3.64.0", "3.64.1", "3.64.2", "3.65.0-rc.1", "3.65.0", "3.66.0-rc.1", "3.66.0", "3.67.0-rc.1", "3.67.0-rc.2", "3.67.0", "3.68.0-rc.1", "3.68.0-rc.2", "3.68.0-rc.3", "3.68.0"]
Secure versions:
[3.105.1, 3.106.0-rc.1, 3.106.0, 3.107.0, 3.108.0-rc.0, 3.108.0, 3.109.0-rc.0, 3.109.0, 3.110.0-rc.1, 3.110.0, 3.111.0, 3.112.0-rc.0, 3.112.0, 3.113.0, 3.114.0-rc.0, 3.114.0]
Recommendation:
Update to version 3.114.0.
Published date: 2021-05-17T20:51:16Z
Impact
When uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file, but only after several user interactions to open the preview in a separate tab. This only impacts the local user while in the process of uploading. It cannot be exploited remotely or by other users.
Patches
This has been fixed by https://github.com/matrix-org/matrix-react-sdk/pull/5981 , which is included in 3.21.0.
Workarounds
There are no known workarounds.
Affected versions:
["0.0.1", "0.0.2", "0.1.0", "0.2.0", "0.3.0", "0.3.1", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.6.2", "0.6.3", "0.6.4", "0.6.4-r1", "0.6.5", "0.6.5-r1", "0.6.5-r2", "0.6.5-r3", "0.7.1", "0.7.2", "0.7.3", "0.7.4", "0.7.5-rc.1", "0.7.5", "0.8.0", "0.8.1-rc.1", "0.8.1-rc.2", "0.8.1", "0.8.2", "0.8.3", "0.8.3-electron", "0.8.4", "0.8.5-rc.1", "0.8.5", "0.8.6-rc.1", "0.8.6-rc.2", "0.8.6-rc.3", "0.8.6", "0.8.7-rc.1", "0.8.7-rc.2", "0.8.7-rc.3", "0.8.7-rc.4", "0.8.7", "0.8.8-rc.1", "0.8.8-rc.2", "0.8.8", "0.8.9-rc.1", "0.8.9", "0.9.0-rc.1", "0.9.0-rc.2", "0.9.0", "0.9.1", "0.9.2", "0.9.3-rc.1", "0.9.3-rc.2", "0.9.3", "0.9.4", "0.9.5-rc.1", "0.9.5-rc.2", "0.9.5", "0.9.6", "0.9.7", "0.10.0-rc.1", "0.10.0-rc.2", "0.10.1-rc.1", "0.10.1", "0.10.2", "0.10.3-rc.1", "0.10.3-rc.2", "0.10.3", "0.10.4-rc.1", "0.10.4", "0.10.5", "0.10.6", "0.10.7-rc.1", "0.10.7-rc.2", "0.10.7-rc.3", "0.10.7", "0.11.0-rc.1", "0.11.0-rc.2", "0.11.0-rc.3", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.11.4", "0.12.0-rc.1", "0.12.0-rc.2", "0.12.0-rc.3", "0.12.0-rc.4", "0.11.4-cryptowarning.1", "0.11.4-cryptowarning.2", "0.12.0-rc.5", "0.12.0-rc.6", "0.12.0-rc.7", "0.12.0", "0.12.1", "0.12.2", "0.12.3-rc.1", "0.12.3-rc.2", "0.12.3-rc.3", "0.12.3", "0.12.4-rc.1", "0.12.4-rc.2", "0.12.4-rc.3", "0.12.4-rc.4", "0.12.4-rc.5", "0.12.4-rc.6", "0.12.4", "0.12.5", "0.12.6-rc.1", "0.12.6", "0.12.7-rc.1", "0.12.7", "0.12.8-rc.1", "0.12.8-rc.2", "0.12.8", "0.12.9-rc.1", "0.12.9-rc.2", "0.12.9", "0.13.0-rc.1", "0.13.0-rc.2", "0.13.0", "0.13.1-rc.1", "0.13.1", "0.13.2", "0.13.3-rc.1", "0.13.3-rc.2", "0.13.3", "0.13.4-rc.1", "0.13.4", "0.13.5-rc.1", "0.13.5", "0.13.6", "0.14.0-rc.1", "0.14.0", "0.14.1", "0.14.2-rc.1", "0.14.2", "0.14.3", "0.14.4", "0.14.5-rc.1", "0.14.5-rc.2", "0.14.5", "0.14.6", "0.14.7-rc.1", "0.14.7-rc.2", "0.14.7", "0.14.8-rc.1", "0.14.8", "1.0.0-rc.1", "1.0.0-rc.2", "1.0.0", "1.0.1", "1.0.2-rc.1", "1.0.2-rc.2", "1.0.2-rc.3", "1.0.2-rc.4", "1.0.2", "1.0.3", "1.0.4-rc.1", "1.0.4", "1.0.5", "1.0.6-rc.1", "1.0.6", "1.0.7", "1.1.0-rc.1", "1.1.0", "1.1.1", "1.1.2", "1.2.0-rc.1", "1.2.0", "1.2.1", "1.2.2-rc.1", "1.2.2-rc.2", "1.2.2", "1.3.0-rc.1", "1.3.0", "1.3.1", "1.4.0-rc.1", "1.4.0-rc.2", "1.4.0-rc.3", "1.4.0", "1.5.0-rc.1", "1.5.0", "1.5.1", "1.5.2-rc.1", "1.5.2", "1.5.3-rc.1", "1.5.3-rc.2", "1.5.3-rc.3", "1.5.3", "1.6.0-rc.1", "1.6.0-rc.2", "1.6.0", "1.6.1", "1.6.2-rc.1", "1.6.2", "1.7.0-rc.1", "1.7.0", "1.7.1-rc.1", "1.7.1-rc.2", "1.7.1", "1.7.2", "1.7.3-rc.1", "1.7.3-rc.2", "1.7.3", "1.7.4", "1.7.5-rc.1", "1.7.5", "1.7.6-rc.1", "1.7.6-rc.2", "1.7.6", "2.0.0-rc.2", "2.0.0", "2.1.0-rc.1", "2.1.0-rc.2", "2.1.0", "2.1.1", "2.2.0-rc.1", "2.2.0", "2.2.1", "2.2.2", "2.2.3-rc.1", "2.2.3", "2.3.0-rc.1", "2.3.0", "2.3.1", "2.4.0-rc.1", "2.5.0-rc.1", "2.5.0-rc.2", "2.5.0-rc.3", "2.5.0-rc.4", "2.5.0-rc.5", "2.5.0-rc.6", "2.5.0", "2.6.0-rc.1", "2.6.0", "2.6.1", "2.7.0-rc.1", "2.7.0-rc.2", "2.7.0", "2.7.1", "2.7.2", "2.8.0-rc.1", "2.8.0", "2.8.1", "2.9.0-rc.1", "2.9.0", "2.10.0", "2.10.1", "3.0.0", "3.1.0-rc.1", "3.1.0", "3.2.0-rc.1", "3.2.0", "3.3.0-rc.1", "3.3.0", "3.4.0-rc.1", "3.4.0", "3.4.1", "3.5.0-rc.1", "3.5.0", "3.6.0-rc.1", "3.6.0", "3.6.1", "3.7.0-rc.1", "3.7.0-rc.2", "3.7.0", "3.7.1", "3.8.0-rc.1", "3.8.0", "3.9.0-rc.1", "3.9.0", "3.10.0-rc.1", "3.10.0", "3.11.0-rc.1", "3.11.0-rc.2", "3.11.0", "3.11.1", "3.12.0-rc.1", "3.12.0", "3.12.1", "3.13.0-rc.1", "3.13.0", "3.13.1", "3.14.0-rc.1", "3.14.0", "3.15.0-rc.1", "3.15.0", "3.16.0-rc.1", "3.16.0-rc.2", "3.16.0", "3.17.0-rc.1", "3.17.0", "3.18.0-rc.1", "3.18.0", "3.19.0-rc.1", "3.19.0", "3.20.0-rc.1", "3.20.0", "3.21.0-rc.1"]
Secure versions:
[3.105.1, 3.106.0-rc.1, 3.106.0, 3.107.0, 3.108.0-rc.0, 3.108.0, 3.109.0-rc.0, 3.109.0, 3.110.0-rc.1, 3.110.0, 3.111.0, 3.112.0-rc.0, 3.112.0, 3.113.0, 3.114.0-rc.0, 3.114.0]
Recommendation:
Update to version 3.114.0.
Published date: 2022-02-10T23:46:51Z
CVE: CVE-2021-32622
Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the preview in a separate tab. This only impacts the local user while in the process of uploading. It cannot be exploited remotely or by other users. This vulnerability is patched in version 3.21.0.
Affected versions:
["0.0.1", "0.0.2", "0.1.0", "0.2.0", "0.3.0", "0.3.1", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.6.2", "0.6.3", "0.6.4", "0.6.4-r1", "0.6.5", "0.6.5-r1", "0.6.5-r2", "0.6.5-r3", "0.7.1", "0.7.2", "0.7.3", "0.7.4", "0.7.5-rc.1", "0.7.5", "0.8.0", "0.8.1-rc.1", "0.8.1-rc.2", "0.8.1", "0.8.2", "0.8.3", "0.8.3-electron", "0.8.4", "0.8.5-rc.1", "0.8.5", "0.8.6-rc.1", "0.8.6-rc.2", "0.8.6-rc.3", "0.8.6", "0.8.7-rc.1", "0.8.7-rc.2", "0.8.7-rc.3", "0.8.7-rc.4", "0.8.7", "0.8.8-rc.1", "0.8.8-rc.2", "0.8.8", "0.8.9-rc.1", "0.8.9", "0.9.0-rc.1", "0.9.0-rc.2", "0.9.0", "0.9.1", "0.9.2", "0.9.3-rc.1", "0.9.3-rc.2", "0.9.3", "0.9.4", "0.9.5-rc.1", "0.9.5-rc.2", "0.9.5", "0.9.6", "0.9.7", "0.10.0-rc.1", "0.10.0-rc.2", "0.10.1-rc.1", "0.10.1", "0.10.2", "0.10.3-rc.1", "0.10.3-rc.2", "0.10.3", "0.10.4-rc.1", "0.10.4", "0.10.5", "0.10.6", "0.10.7-rc.1", "0.10.7-rc.2", "0.10.7-rc.3", "0.10.7", "0.11.0-rc.1", "0.11.0-rc.2", "0.11.0-rc.3", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.11.4", "0.12.0-rc.1", "0.12.0-rc.2", "0.12.0-rc.3", "0.12.0-rc.4", "0.11.4-cryptowarning.1", "0.11.4-cryptowarning.2", "0.12.0-rc.5", "0.12.0-rc.6", "0.12.0-rc.7", "0.12.0", "0.12.1", "0.12.2", "0.12.3-rc.1", "0.12.3-rc.2", "0.12.3-rc.3", "0.12.3", "0.12.4-rc.1", "0.12.4-rc.2", "0.12.4-rc.3", "0.12.4-rc.4", "0.12.4-rc.5", "0.12.4-rc.6", "0.12.4", "0.12.5", "0.12.6-rc.1", "0.12.6", "0.12.7-rc.1", "0.12.7", "0.12.8-rc.1", "0.12.8-rc.2", "0.12.8", "0.12.9-rc.1", "0.12.9-rc.2", "0.12.9", "0.13.0-rc.1", "0.13.0-rc.2", "0.13.0", "0.13.1-rc.1", "0.13.1", "0.13.2", "0.13.3-rc.1", "0.13.3-rc.2", "0.13.3", "0.13.4-rc.1", "0.13.4", "0.13.5-rc.1", "0.13.5", "0.13.6", "0.14.0-rc.1", "0.14.0", "0.14.1", "0.14.2-rc.1", "0.14.2", "0.14.3", "0.14.4", "0.14.5-rc.1", "0.14.5-rc.2", "0.14.5", "0.14.6", "0.14.7-rc.1", "0.14.7-rc.2", "0.14.7", "0.14.8-rc.1", "0.14.8", "1.0.0-rc.1", "1.0.0-rc.2", "1.0.0", "1.0.1", "1.0.2-rc.1", "1.0.2-rc.2", "1.0.2-rc.3", "1.0.2-rc.4", "1.0.2", "1.0.3", "1.0.4-rc.1", "1.0.4", "1.0.5", "1.0.6-rc.1", "1.0.6", "1.0.7", "1.1.0-rc.1", "1.1.0", "1.1.1", "1.1.2", "1.2.0-rc.1", "1.2.0", "1.2.1", "1.2.2-rc.1", "1.2.2-rc.2", "1.2.2", "1.3.0-rc.1", "1.3.0", "1.3.1", "1.4.0-rc.1", "1.4.0-rc.2", "1.4.0-rc.3", "1.4.0", "1.5.0-rc.1", "1.5.0", "1.5.1", "1.5.2-rc.1", "1.5.2", "1.5.3-rc.1", "1.5.3-rc.2", "1.5.3-rc.3", "1.5.3", "1.6.0-rc.1", "1.6.0-rc.2", "1.6.0", "1.6.1", "1.6.2-rc.1", "1.6.2", "1.7.0-rc.1", "1.7.0", "1.7.1-rc.1", "1.7.1-rc.2", "1.7.1", "1.7.2", "1.7.3-rc.1", "1.7.3-rc.2", "1.7.3", "1.7.4", "1.7.5-rc.1", "1.7.5", "1.7.6-rc.1", "1.7.6-rc.2", "1.7.6", "2.0.0-rc.2", "2.0.0", "2.1.0-rc.1", "2.1.0-rc.2", "2.1.0", "2.1.1", "2.2.0-rc.1", "2.2.0", "2.2.1", "2.2.2", "2.2.3-rc.1", "2.2.3", "2.3.0-rc.1", "2.3.0", "2.3.1", "2.4.0-rc.1", "2.5.0-rc.1", "2.5.0-rc.2", "2.5.0-rc.3", "2.5.0-rc.4", "2.5.0-rc.5", "2.5.0-rc.6", "2.5.0", "2.6.0-rc.1", "2.6.0", "2.6.1", "2.7.0-rc.1", "2.7.0-rc.2", "2.7.0", "2.7.1", "2.7.2", "2.8.0-rc.1", "2.8.0", "2.8.1", "2.9.0-rc.1", "2.9.0", "2.10.0", "2.10.1", "3.0.0", "3.1.0-rc.1", "3.1.0", "3.2.0-rc.1", "3.2.0", "3.3.0-rc.1", "3.3.0", "3.4.0-rc.1", "3.4.0", "3.4.1", "3.5.0-rc.1", "3.5.0", "3.6.0-rc.1", "3.6.0", "3.6.1", "3.7.0-rc.1", "3.7.0-rc.2", "3.7.0", "3.7.1", "3.8.0-rc.1", "3.8.0", "3.9.0-rc.1", "3.9.0", "3.10.0-rc.1", "3.10.0", "3.11.0-rc.1", "3.11.0-rc.2", "3.11.0", "3.11.1", "3.12.0-rc.1", "3.12.0", "3.12.1", "3.13.0-rc.1", "3.13.0", "3.13.1", "3.14.0-rc.1", "3.14.0", "3.15.0-rc.1", "3.15.0", "3.16.0-rc.1", "3.16.0-rc.2", "3.16.0", "3.17.0-rc.1", "3.17.0", "3.18.0-rc.1", "3.18.0", "3.19.0-rc.1", "3.19.0", "3.20.0-rc.1", "3.20.0", "3.21.0-rc.1"]
Secure versions:
[3.105.1, 3.106.0-rc.1, 3.106.0, 3.107.0, 3.108.0-rc.0, 3.108.0, 3.109.0-rc.0, 3.109.0, 3.110.0-rc.1, 3.110.0, 3.111.0, 3.112.0-rc.0, 3.112.0, 3.113.0, 3.114.0-rc.0, 3.114.0]
Recommendation:
Update to version 3.114.0.
Published date: 2024-08-06T14:12:45Z
CVE: CVE-2024-42347
Impact
A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server.
Even if the CVSS score would be 4.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N ) the maintainer classifies this as High severity issue.
Patches
This was patched in matrix-react-sdk 3.105.1.
Workarounds
Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected.
References
N/A.
Affected versions:
["0.0.1", "0.0.2", "0.1.0", "0.2.0", "0.3.0", "0.3.1", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.6.2", "0.6.3", "0.6.4", "0.6.4-r1", "0.6.5", "0.6.5-r1", "0.6.5-r2", "0.6.5-r3", "0.7.1", "0.7.2", "0.7.3", "0.7.4", "0.7.5-rc.1", "0.7.5", "0.8.0", "0.8.1-rc.1", "0.8.1-rc.2", "0.8.1", "0.8.2", "0.8.3", "0.8.3-electron", "0.8.4", "0.8.5-rc.1", "0.8.5", "0.8.6-rc.1", "0.8.6-rc.2", "0.8.6-rc.3", "0.8.6", "0.8.7-rc.1", "0.8.7-rc.2", "0.8.7-rc.3", "0.8.7-rc.4", "0.8.7", "0.8.8-rc.1", "0.8.8-rc.2", "0.8.8", "0.8.9-rc.1", "0.8.9", "0.9.0-rc.1", "0.9.0-rc.2", "0.9.0", "0.9.1", "0.9.2", "0.9.3-rc.1", "0.9.3-rc.2", "0.9.3", "0.9.4", "0.9.5-rc.1", "0.9.5-rc.2", "0.9.5", "0.9.6", "0.9.7", "0.10.0-rc.1", "0.10.0-rc.2", "0.10.1-rc.1", "0.10.1", "0.10.2", "0.10.3-rc.1", "0.10.3-rc.2", "0.10.3", "0.10.4-rc.1", "0.10.4", "0.10.5", "0.10.6", "0.10.7-rc.1", "0.10.7-rc.2", "0.10.7-rc.3", "0.10.7", "0.11.0-rc.1", "0.11.0-rc.2", "0.11.0-rc.3", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.11.4", "0.12.0-rc.1", "0.12.0-rc.2", "0.12.0-rc.3", "0.12.0-rc.4", "0.11.4-cryptowarning.1", "0.11.4-cryptowarning.2", "0.12.0-rc.5", "0.12.0-rc.6", "0.12.0-rc.7", "0.12.0", "0.12.1", "0.12.2", "0.12.3-rc.1", "0.12.3-rc.2", "0.12.3-rc.3", "0.12.3", "0.12.4-rc.1", "0.12.4-rc.2", "0.12.4-rc.3", "0.12.4-rc.4", "0.12.4-rc.5", "0.12.4-rc.6", "0.12.4", "0.12.5", "0.12.6-rc.1", "0.12.6", "0.12.7-rc.1", "0.12.7", "0.12.8-rc.1", "0.12.8-rc.2", "0.12.8", "0.12.9-rc.1", "0.12.9-rc.2", "0.12.9", "0.13.0-rc.1", "0.13.0-rc.2", "0.13.0", "0.13.1-rc.1", "0.13.1", "0.13.2", "0.13.3-rc.1", "0.13.3-rc.2", "0.13.3", "0.13.4-rc.1", "0.13.4", "0.13.5-rc.1", "0.13.5", "0.13.6", "0.14.0-rc.1", "0.14.0", "0.14.1", "0.14.2-rc.1", "0.14.2", "0.14.3", "0.14.4", "0.14.5-rc.1", "0.14.5-rc.2", "0.14.5", "0.14.6", "0.14.7-rc.1", "0.14.7-rc.2", "0.14.7", "0.14.8-rc.1", "0.14.8", "1.0.0-rc.1", "1.0.0-rc.2", "1.0.0", "1.0.1", "1.0.2-rc.1", "1.0.2-rc.2", "1.0.2-rc.3", "1.0.2-rc.4", "1.0.2", "1.0.3", "1.0.4-rc.1", "1.0.4", "1.0.5", "1.0.6-rc.1", "1.0.6", "1.0.7", "1.1.0-rc.1", "1.1.0", "1.1.1", "1.1.2", "1.2.0-rc.1", "1.2.0", "1.2.1", "1.2.2-rc.1", "1.2.2-rc.2", "1.2.2", "1.3.0-rc.1", "1.3.0", "1.3.1", "1.4.0-rc.1", "1.4.0-rc.2", "1.4.0-rc.3", "1.4.0", "1.5.0-rc.1", "1.5.0", "1.5.1", "1.5.2-rc.1", "1.5.2", "1.5.3-rc.1", "1.5.3-rc.2", "1.5.3-rc.3", "1.5.3", "1.6.0-rc.1", "1.6.0-rc.2", "1.6.0", "1.6.1", "1.6.2-rc.1", "1.6.2", "1.7.0-rc.1", "1.7.0", "1.7.1-rc.1", "1.7.1-rc.2", "1.7.1", "1.7.2", "1.7.3-rc.1", "1.7.3-rc.2", "1.7.3", "1.7.4", "1.7.5-rc.1", "1.7.5", "1.7.6-rc.1", "1.7.6-rc.2", "1.7.6", "2.0.0-rc.2", "2.0.0", "2.1.0-rc.1", "2.1.0-rc.2", "2.1.0", "2.1.1", "2.2.0-rc.1", "2.2.0", "2.2.1", "2.2.2", "2.2.3-rc.1", "2.2.3", "2.3.0-rc.1", "2.3.0", "2.3.1", "2.4.0-rc.1", "2.5.0-rc.1", "2.5.0-rc.2", "2.5.0-rc.3", "2.5.0-rc.4", "2.5.0-rc.5", "2.5.0-rc.6", "2.5.0", "2.6.0-rc.1", "2.6.0", "2.6.1", "2.7.0-rc.1", "2.7.0-rc.2", "2.7.0", "2.7.1", "2.7.2", "2.8.0-rc.1", "2.8.0", "2.8.1", "2.9.0-rc.1", "2.9.0", "2.10.0", "2.10.1", "3.0.0", "3.1.0-rc.1", "3.1.0", "3.2.0-rc.1", "3.2.0", "3.3.0-rc.1", "3.3.0", "3.4.0-rc.1", "3.4.0", "3.4.1", "3.5.0-rc.1", "3.5.0", "3.6.0-rc.1", "3.6.0", "3.6.1", "3.7.0-rc.1", "3.7.0-rc.2", "3.7.0", "3.7.1", "3.8.0-rc.1", "3.8.0", "3.9.0-rc.1", "3.9.0", "3.10.0-rc.1", "3.10.0", "3.11.0-rc.1", "3.11.0-rc.2", "3.11.0", "3.11.1", "3.12.0-rc.1", "3.12.0", "3.12.1", "3.13.0-rc.1", "3.13.0", "3.13.1", "3.14.0-rc.1", "3.14.0", "3.15.0-rc.1", "3.15.0", "3.16.0-rc.1", "3.16.0-rc.2", "3.16.0", "3.17.0-rc.1", "3.17.0", "3.18.0-rc.1", "3.18.0", "3.19.0-rc.1", "3.19.0", "3.20.0-rc.1", "3.20.0", "3.21.0-rc.1", "3.21.0", "3.22.0-rc.1", "3.22.0", "3.23.0-rc.1", "3.23.0", "3.24.0-rc.1", "3.24.0", "3.25.0-rc.1", "3.25.0", "3.26.0-rc.1", "3.26.0", "3.27.0-rc.1", "3.27.0", "3.28.0-rc.1", "3.28.0", "3.28.1", "3.29.0-rc.1", "3.29.0-rc.2", "3.29.0-rc.3", "3.29.0", "3.30.0-rc.1", "3.30.0-rc.2", "3.29.1", "3.30.0", "3.31.0-rc.1", "3.31.0-rc.2", "3.31.0", "3.32.0-rc.1", "3.32.0-rc.2", "3.32.0", "3.32.1", "3.33.0-rc.1", "3.33.0-rc.2", "3.33.0", "3.34.0-rc.1", "3.34.0", "3.35.0-rc.1", "3.35.1", "3.36.0-rc.1", "3.36.0", "3.36.1", "3.37.0-rc.1", "3.37.0", "3.38.0-rc.1", "3.38.0", "3.39.0-rc.1", "3.39.0-rc.2", "3.39.0", "3.39.1", "3.40.0-rc.1", "3.40.0-rc.2", "3.40.0", "3.40.1", "3.41.0-rc.1", "3.41.0", "3.41.1", "3.42.0-rc.1", "3.42.0", "3.42.1-rc.1", "3.42.1", "3.42.2-rc.1", "3.42.2-rc.2", "3.42.2-rc.3", "3.42.2-rc.4", "3.42.3", "3.42.4", "3.43.0-rc.1", "3.43.0", "3.44.0-rc.1", "3.44.0-rc.2", "3.44.0", "3.45.0-rc.2", "3.45.0-rc.3", "3.45.0", "3.46.0-rc.1", "3.46.0", "3.47.0", "3.48.0-rc.1", "3.48.0", "3.49.0-rc.1", "3.49.0-rc.2", "3.49.0", "3.50.0", "3.51.0-rc.1", "3.51.0", "3.52.0-rc.1", "3.52.0-rc.2", "3.52.0", "3.53.0-rc.1", "3.53.0-rc.2", "3.53.0", "3.54.0-rc.1", "3.54.0", "3.55.0-rc.1", "3.55.0", "3.56.0", "3.57.0", "3.58.0-rc.1", "3.58.0-rc.2", "3.58.0", "3.58.1", "3.59.0-rc.1", "3.59.0-rc.2", "3.59.0", "3.59.1", "3.60.0-rc.1", "3.60.0-rc.2", "3.60.0", "3.61.0-rc.1", "3.61.0", "3.62.0-rc.1", "3.62.0-rc.2", "3.62.0", "3.63.0-rc.2", "3.63.0", "3.64.0-rc.1", "3.64.0-rc.2", "3.64.0-rc.3", "3.64.0-rc.4", "3.64.0", "3.64.1", "3.64.2", "3.65.0-rc.1", "3.65.0", "3.66.0-rc.1", "3.66.0", "3.67.0-rc.1", "3.67.0-rc.2", "3.67.0", "3.68.0-rc.1", "3.68.0-rc.2", "3.68.0-rc.3", "3.68.0", "3.69.0", "3.69.1", "3.70.0-rc.1", "3.70.0", "3.71.0-rc.1", "3.71.0", "3.71.1", "3.72.0-rc.1", "3.72.0-rc.2", "3.72.0", "3.73.0-rc.1", "3.73.0-rc.2", "3.73.0-rc.3", "3.73.0", "3.73.1", "3.74.0-rc1", "3.74.0", "3.75.0-rc.1", "3.75.0", "3.76.0-rc.1", "3.76.0-rc.2", "3.76.0", "3.77.0-rc.1", "3.77.0", "3.77.1", "3.78.0-rc.1", "3.78.0", "3.79.0-rc.2", "3.79.0", "3.80.0-rc.1", "3.80.0-rc.2", "3.80.0", "3.80.1", "3.81.0-rc.1", "3.81.0", "3.81.1", "3.82.0-rc.1", "3.82.0", "3.83.0-rc.1", "3.83.0", "3.84.0-rc.1", "3.84.0", "3.84.1", "3.85.0-rc.0", "3.85.0-rc.1", "3.85.0", "3.86.0-rc.2", "3.86.0", "3.87.0-rc.0", "3.87.0", "3.88.0", "3.89.0-rc.0", "3.89.0", "3.90.0", "3.91.0-rc.0", "3.91.0-rc.1", "3.91.0", "3.92.0-rc.0", "3.92.0-rc.1", "3.92.0", "3.93.0-rc.0", "3.93.0", "3.94.0-rc.0", "3.94.0", "3.95.0-rc.0", "3.95.0", "3.96.0-rc.0", "3.96.0", "3.96.1", "3.97.0-rc.0", "3.97.0", "3.98.0-rc.0", "3.98.0", "3.99.0-rc.0", "3.99.0-rc.1", "3.99.0", "3.100.0-rc.0", "3.100.0-rc.1", "3.100.0", "3.101.0-rc.0", "3.101.0-rc.1", "3.101.0", "3.102.0-rc.0", "3.102.0-rc.1", "3.102.0", "3.103.0-rc.1", "3.103.0", "3.104.0-rc.0", "3.104.0-rc.1", "3.104.0"]
Secure versions:
[3.105.1, 3.106.0-rc.1, 3.106.0, 3.107.0, 3.108.0-rc.0, 3.108.0, 3.109.0-rc.0, 3.109.0, 3.110.0-rc.1, 3.110.0, 3.111.0, 3.112.0-rc.0, 3.112.0, 3.113.0, 3.114.0-rc.0, 3.114.0]
Recommendation:
Update to version 3.114.0.
Published date: 2023-04-25T19:48:11Z
CVE: CVE-2023-30609
Impact
Plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload.
Cross-site scripting is possible by including resources from recaptcha.net
and gstatic.com
which are included in the default CSP.
Thanks to Cadence Ember for finding the injection and to S1m for finding possible XSS vectors.
Patches
Version 3.71.0 of the SDK fixes the issue.
Workarounds
Restarting the client will clear the injection.
Affected versions:
["0.0.1", "0.0.2", "0.1.0", "0.2.0", "0.3.0", "0.3.1", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.6.0", "0.6.1", "0.6.2", "0.6.3", "0.6.4", "0.6.4-r1", "0.6.5", "0.6.5-r1", "0.6.5-r2", "0.6.5-r3", "0.7.1", "0.7.2", "0.7.3", "0.7.4", "0.7.5-rc.1", "0.7.5", "0.8.0", "0.8.1-rc.1", "0.8.1-rc.2", "0.8.1", "0.8.2", "0.8.3", "0.8.3-electron", "0.8.4", "0.8.5-rc.1", "0.8.5", "0.8.6-rc.1", "0.8.6-rc.2", "0.8.6-rc.3", "0.8.6", "0.8.7-rc.1", "0.8.7-rc.2", "0.8.7-rc.3", "0.8.7-rc.4", "0.8.7", "0.8.8-rc.1", "0.8.8-rc.2", "0.8.8", "0.8.9-rc.1", "0.8.9", "0.9.0-rc.1", "0.9.0-rc.2", "0.9.0", "0.9.1", "0.9.2", "0.9.3-rc.1", "0.9.3-rc.2", "0.9.3", "0.9.4", "0.9.5-rc.1", "0.9.5-rc.2", "0.9.5", "0.9.6", "0.9.7", "0.10.0-rc.1", "0.10.0-rc.2", "0.10.1-rc.1", "0.10.1", "0.10.2", "0.10.3-rc.1", "0.10.3-rc.2", "0.10.3", "0.10.4-rc.1", "0.10.4", "0.10.5", "0.10.6", "0.10.7-rc.1", "0.10.7-rc.2", "0.10.7-rc.3", "0.10.7", "0.11.0-rc.1", "0.11.0-rc.2", "0.11.0-rc.3", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.11.4", "0.12.0-rc.1", "0.12.0-rc.2", "0.12.0-rc.3", "0.12.0-rc.4", "0.11.4-cryptowarning.1", "0.11.4-cryptowarning.2", "0.12.0-rc.5", "0.12.0-rc.6", "0.12.0-rc.7", "0.12.0", "0.12.1", "0.12.2", "0.12.3-rc.1", "0.12.3-rc.2", "0.12.3-rc.3", "0.12.3", "0.12.4-rc.1", "0.12.4-rc.2", "0.12.4-rc.3", "0.12.4-rc.4", "0.12.4-rc.5", "0.12.4-rc.6", "0.12.4", "0.12.5", "0.12.6-rc.1", "0.12.6", "0.12.7-rc.1", "0.12.7", "0.12.8-rc.1", "0.12.8-rc.2", "0.12.8", "0.12.9-rc.1", "0.12.9-rc.2", "0.12.9", "0.13.0-rc.1", "0.13.0-rc.2", "0.13.0", "0.13.1-rc.1", "0.13.1", "0.13.2", "0.13.3-rc.1", "0.13.3-rc.2", "0.13.3", "0.13.4-rc.1", "0.13.4", "0.13.5-rc.1", "0.13.5", "0.13.6", "0.14.0-rc.1", "0.14.0", "0.14.1", "0.14.2-rc.1", "0.14.2", "0.14.3", "0.14.4", "0.14.5-rc.1", "0.14.5-rc.2", "0.14.5", "0.14.6", "0.14.7-rc.1", "0.14.7-rc.2", "0.14.7", "0.14.8-rc.1", "0.14.8", "1.0.0-rc.1", "1.0.0-rc.2", "1.0.0", "1.0.1", "1.0.2-rc.1", "1.0.2-rc.2", "1.0.2-rc.3", "1.0.2-rc.4", "1.0.2", "1.0.3", "1.0.4-rc.1", "1.0.4", "1.0.5", "1.0.6-rc.1", "1.0.6", "1.0.7", "1.1.0-rc.1", "1.1.0", "1.1.1", "1.1.2", "1.2.0-rc.1", "1.2.0", "1.2.1", "1.2.2-rc.1", "1.2.2-rc.2", "1.2.2", "1.3.0-rc.1", "1.3.0", "1.3.1", "1.4.0-rc.1", "1.4.0-rc.2", "1.4.0-rc.3", "1.4.0", "1.5.0-rc.1", "1.5.0", "1.5.1", "1.5.2-rc.1", "1.5.2", "1.5.3-rc.1", "1.5.3-rc.2", "1.5.3-rc.3", "1.5.3", "1.6.0-rc.1", "1.6.0-rc.2", "1.6.0", "1.6.1", "1.6.2-rc.1", "1.6.2", "1.7.0-rc.1", "1.7.0", "1.7.1-rc.1", "1.7.1-rc.2", "1.7.1", "1.7.2", "1.7.3-rc.1", "1.7.3-rc.2", "1.7.3", "1.7.4", "1.7.5-rc.1", "1.7.5", "1.7.6-rc.1", "1.7.6-rc.2", "1.7.6", "2.0.0-rc.2", "2.0.0", "2.1.0-rc.1", "2.1.0-rc.2", "2.1.0", "2.1.1", "2.2.0-rc.1", "2.2.0", "2.2.1", "2.2.2", "2.2.3-rc.1", "2.2.3", "2.3.0-rc.1", "2.3.0", "2.3.1", "2.4.0-rc.1", "2.5.0-rc.1", "2.5.0-rc.2", "2.5.0-rc.3", "2.5.0-rc.4", "2.5.0-rc.5", "2.5.0-rc.6", "2.5.0", "2.6.0-rc.1", "2.6.0", "2.6.1", "2.7.0-rc.1", "2.7.0-rc.2", "2.7.0", "2.7.1", "2.7.2", "2.8.0-rc.1", "2.8.0", "2.8.1", "2.9.0-rc.1", "2.9.0", "2.10.0", "2.10.1", "3.0.0", "3.1.0-rc.1", "3.1.0", "3.2.0-rc.1", "3.2.0", "3.3.0-rc.1", "3.3.0", "3.4.0-rc.1", "3.4.0", "3.4.1", "3.5.0-rc.1", "3.5.0", "3.6.0-rc.1", "3.6.0", "3.6.1", "3.7.0-rc.1", "3.7.0-rc.2", "3.7.0", "3.7.1", "3.8.0-rc.1", "3.8.0", "3.9.0-rc.1", "3.9.0", "3.10.0-rc.1", "3.10.0", "3.11.0-rc.1", "3.11.0-rc.2", "3.11.0", "3.11.1", "3.12.0-rc.1", "3.12.0", "3.12.1", "3.13.0-rc.1", "3.13.0", "3.13.1", "3.14.0-rc.1", "3.14.0", "3.15.0-rc.1", "3.15.0", "3.16.0-rc.1", "3.16.0-rc.2", "3.16.0", "3.17.0-rc.1", "3.17.0", "3.18.0-rc.1", "3.18.0", "3.19.0-rc.1", "3.19.0", "3.20.0-rc.1", "3.20.0", "3.21.0-rc.1", "3.21.0", "3.22.0-rc.1", "3.22.0", "3.23.0-rc.1", "3.23.0", "3.24.0-rc.1", "3.24.0", "3.25.0-rc.1", "3.25.0", "3.26.0-rc.1", "3.26.0", "3.27.0-rc.1", "3.27.0", "3.28.0-rc.1", "3.28.0", "3.28.1", "3.29.0-rc.1", "3.29.0-rc.2", "3.29.0-rc.3", "3.29.0", "3.30.0-rc.1", "3.30.0-rc.2", "3.29.1", "3.30.0", "3.31.0-rc.1", "3.31.0-rc.2", "3.31.0", "3.32.0-rc.1", "3.32.0-rc.2", "3.32.0", "3.32.1", "3.33.0-rc.1", "3.33.0-rc.2", "3.33.0", "3.34.0-rc.1", "3.34.0", "3.35.0-rc.1", "3.35.1", "3.36.0-rc.1", "3.36.0", "3.36.1", "3.37.0-rc.1", "3.37.0", "3.38.0-rc.1", "3.38.0", "3.39.0-rc.1", "3.39.0-rc.2", "3.39.0", "3.39.1", "3.40.0-rc.1", "3.40.0-rc.2", "3.40.0", "3.40.1", "3.41.0-rc.1", "3.41.0", "3.41.1", "3.42.0-rc.1", "3.42.0", "3.42.1-rc.1", "3.42.1", "3.42.2-rc.1", "3.42.2-rc.2", "3.42.2-rc.3", "3.42.2-rc.4", "3.42.3", "3.42.4", "3.43.0-rc.1", "3.43.0", "3.44.0-rc.1", "3.44.0-rc.2", "3.44.0", "3.45.0-rc.2", "3.45.0-rc.3", "3.45.0", "3.46.0-rc.1", "3.46.0", "3.47.0", "3.48.0-rc.1", "3.48.0", "3.49.0-rc.1", "3.49.0-rc.2", "3.49.0", "3.50.0", "3.51.0-rc.1", "3.51.0", "3.52.0-rc.1", "3.52.0-rc.2", "3.52.0", "3.53.0-rc.1", "3.53.0-rc.2", "3.53.0", "3.54.0-rc.1", "3.54.0", "3.55.0-rc.1", "3.55.0", "3.56.0", "3.57.0", "3.58.0-rc.1", "3.58.0-rc.2", "3.58.0", "3.58.1", "3.59.0-rc.1", "3.59.0-rc.2", "3.59.0", "3.59.1", "3.60.0-rc.1", "3.60.0-rc.2", "3.60.0", "3.61.0-rc.1", "3.61.0", "3.62.0-rc.1", "3.62.0-rc.2", "3.62.0", "3.63.0-rc.2", "3.63.0", "3.64.0-rc.1", "3.64.0-rc.2", "3.64.0-rc.3", "3.64.0-rc.4", "3.64.0", "3.64.1", "3.64.2", "3.65.0-rc.1", "3.65.0", "3.66.0-rc.1", "3.66.0", "3.67.0-rc.1", "3.67.0-rc.2", "3.67.0", "3.68.0-rc.1", "3.68.0-rc.2", "3.68.0-rc.3", "3.68.0", "3.69.0", "3.69.1", "3.70.0-rc.1", "3.70.0", "3.71.0-rc.1"]
Secure versions:
[3.105.1, 3.106.0-rc.1, 3.106.0, 3.107.0, 3.108.0-rc.0, 3.108.0, 3.109.0-rc.0, 3.109.0, 3.110.0-rc.1, 3.110.0, 3.111.0, 3.112.0-rc.0, 3.112.0, 3.113.0, 3.114.0-rc.0, 3.114.0]
Recommendation:
Update to version 3.114.0.
543 Other Versions