matrix-react-sdk@1.2.2-rc.2 vulnerabilities

SDK for matrix.org using React

  • latest version

    3.114.0

  • latest non vulnerable version

  • first published

    9 years ago

  • latest version published

    1 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the matrix-react-sdk package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Exposure of Private Personal Information to an Unauthorized Actor

    matrix-react-sdk is a SDK for matrix.org using React

    Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor via a malicious homeserver, allowing an attacker to change the user's account data and cause the client to enable URL previews in end-to-end encrypted rooms. Exploiting this vulnerability causes any URLs in encrypted messages to be sent to the server.

    How to fix Exposure of Private Personal Information to an Unauthorized Actor?

    Upgrade matrix-react-sdk to version 3.105.1 or higher.

    <3.105.1
    • M
    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

    matrix-react-sdk is a SDK for matrix.org using React

    Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') such that plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload.

    Note: No cross-site scripting attack is possible due to the hardcoded content security policy.

    How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')?

    Upgrade matrix-react-sdk to version 3.71.0 or higher.

    <3.71.0
    • H
    Prototype Pollution

    matrix-react-sdk is a SDK for matrix.org using React

    Affected versions of this package are vulnerable to Prototype Pollution such that in certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the Object.prototype, disrupting matrix-react-sdk functionality, causing denial of service and potentially affecting program logic.

    How to fix Prototype Pollution?

    Upgrade matrix-react-sdk to version 3.69.0 or higher.

    <3.69.0
    • M
    Prototype Pollution

    matrix-react-sdk is a SDK for matrix.org using React

    Affected versions of this package are vulnerable to Prototype Pollution such that events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered.

    How to fix Prototype Pollution?

    Upgrade matrix-react-sdk to version 3.53.0 or higher.

    <3.53.0
    • M
    Cross-site Scripting (XSS)

    matrix-react-sdk is a SDK for matrix.org using React

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). When uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the preview in a separate tab. This only impacts the local user while in the process of uploading.

    How to fix Cross-site Scripting (XSS)?

    Upgrade matrix-react-sdk to version 3.21.0 or higher.

    <3.21.0
    • L
    Sandbox Bypass

    matrix-react-sdk is a SDK for matrix.org using React

    Affected versions of this package are vulnerable to Sandbox Bypass. The user content sandbox can be abused to trick users into opening unexpected documents. Messages and secrets are not at risk: the content is opened with a blob origin, which cannot access Matrix user data.

    How to fix Sandbox Bypass?

    Upgrade matrix-react-sdk to version 3.15.0 or higher.

    <3.15.0