Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
matrix-react-sdk vulnerable to HTML injection in search results via plaintext message highlighting
Vulnerability Description
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload. No cross-site scripting attack is possible due to the hardcoded content security policy. Version 3.71.0 of the SDK patches over the issue. As a workaround, restarting the client will clear the HTML injection.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Vulnerability Title
matrix-react-sdk 注入漏洞
Vulnerability Description
matrix-react-sdk是Matrix开源的一个用于将Matrix chat/voip客户端插入网页的组件。 matrix-react-sdk 3.71.0之前版本存在注入漏洞,该漏洞源于包含HTML标记的纯文本消息在搜索结果中会呈现为HTML。
CVSS Information
N/A
Vulnerability Type
N/A