GHSA-8796-gc9j-63rv – matrix-react-sdk

Package

Manager: npm
Name: matrix-react-sdk
Vulnerable Version: >=0 <3.21.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

File upload local preview can run embedded scripts after user interaction ### Impact When uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file, but only after several user interactions to open the preview in a separate tab. This only impacts the local user while in the process of uploading. It cannot be exploited remotely or by other users. ### Patches This has been fixed by https://github.com/matrix-org/matrix-react-sdk/pull/5981, which is included in 3.21.0. ### Workarounds There are no known workarounds.

Metadata

Created: 2021-05-17T20:51:16Z
Modified: 2021-10-05T16:31:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-8796-gc9j-63rv/GHSA-8796-gc9j-63rv.json
CWE IDs: ["CWE-74"]
Alternative ID: N/A
Finding: F184
Auto approve: 1