CVE-2023-37259

Summary

CVE-2023-37259 is a stored Cross-Site Scripting (XSS) vulnerability affecting the matrix-react-sdk, a react-based SDK used for integrating Matrix chat and voip functionality into web pages. The vulnerability exists in the Export Chat feature, which generates a separate document containing attacker-controllable elements without proper escaping. An attacker can inject code to be run from the `null` origin, limiting the impact but potentially allowing message content leakage. A malicious homeserver is a potential threat vector since the affected inputs are server-side controlled. The issue has been resolved in commit `22fcd34c60`, which is included in release version 3.76.0. Users are strongly advised to upgrade as soon as possible. The only available workaround is to disable or avoid using the Export Chat feature.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.