Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cross site scripting in Export Chat feature
Vulnerability Description
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored Cross site scripting (XSS). Since the Export Chat feature generates a separate document, an attacker can only inject code run from the `null` origin, restricting the impact. However, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side. This issue has been addressed in commit `22fcd34c60` which is included in release version 3.76.0. Users are advised to upgrade. The only known workaround for this issue is to disable or to not use the Export Chat feature.
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
matrix-react-sdk 跨站脚本漏洞
Vulnerability Description
matrix-react-sdk是Matrix开源的一个用于将Matrix chat/voip客户端插入网页的组件。 matrix-react-sdk 3.32.0到3.76.0版本存在跨站脚本漏洞,该漏洞源于导出聊天功能在生成的文档中包含某些攻击者控制的元素,且没有进行充分的转义,从而导致 XSS。
CVSS Information
N/A
Vulnerability Type
N/A