← Back to CVE List

CVE-2023-37259

Published: 2023-07-18T17:15Z
Last Modified: 2024-11-21T08:11Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored Cross site scripting (XSS). Since the Export Chat feature generates a separate document, an attacker can only inject code run from the `null` origin, restricting the impact. However, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side. This issue has been addressed in commit `22fcd34c60` which is included in release version 3.76.0. Users are advised to upgrade. The only known workaround for this issue is to disable or to not use the Export Chat feature. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt