CVE-2023-37259

CVSS 3.1 Score 5.4 of 10 (medium)

Details

Published Jul 18, 2023

Updated: Jul 27, 2023

CWE ID 79

Summary

CVE-2023-37259 is a stored Cross-Site Scripting (XSS) vulnerability affecting the matrix-react-sdk, a react-based SDK used for integrating Matrix chat and voip functionality into web pages. The vulnerability exists in the Export Chat feature, which generates a separate document containing attacker-controllable elements without proper escaping. An attacker can inject code to be run from the `null` origin, limiting the impact but potentially allowing message content leakage. A malicious homeserver is a potential threat vector since the affected inputs are server-side controlled. The issue has been resolved in commit `22fcd34c60`, which is included in release version 3.76.0. Users are strongly advised to upgrade as soon as possible. The only available workaround is to disable or avoid using the Export Chat feature.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Advisories, Assessments, and Mitigations

Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future

Note: This is just a basic overview providing quick insights into CVE-2023-37259 information. Gain full access to comprehensive CVE data, third party vulnerabilities, compromised credentials and more with Recorded Future

Gain complete coverage of your cyber, third party, and physical attack surface
Proactively mitigate threats before they turn into costly attacks
Make fast, effective, data-driven decisions

Book your demo

Sign in

Back to Vulnerability Database