Home > Vulnerability Database > CVE-2023-30609

Mend.io Vulnerability Database

CVE-2023-30609

Good to know:

Date: April 25, 2023

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload. No cross-site scripting attack is possible due to the hardcoded content security policy. Version 3.71.0 of the SDK patches over the issue. As a workaround, restarting the client will clear the HTML injection.

Language: TYPE_SCRIPT

Severity Score

5.4

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-30609

Url: https://github.com/matrix-org/matrix-react-sdk/commit/bf182bc94556849d7acdfa0e5fdea2aa129ea826

Url: https://github.com/matrix-org/matrix-react-sdk

Url: https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-xv83-x443-7rmw

Url: https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.71.0

Url: https://www.mend.io/vulnerability-database/CVE-2023-30609

Severity Score

5.4

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Injection

CWE-74

Top Fix

Upgrade Version

Upgrade to version matrix-react-sdk - 3.71.0

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2023-30609

Good to know:

Date: April 25, 2023

Language: TYPE_SCRIPT

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?