4.3
CVE-2021-21320
- EPSS 0.92%
- Veröffentlicht 02.03.2021 03:15:13
- Zuletzt bearbeitet 21.11.2024 05:48:00
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginUser content sandbox can be confused into opening arbitrary documents
matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a `blob` origin that cannot access Matrix user data, so messages and secrets are not at risk. This has been fixed in version 3.15.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Matrix-react-sdk Project ≫ Matrix-react-sdk SwPlatformnode.js Version < 3.15.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.92% | 0.556 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
| security-advisories@github.com | 2.6 | 1.2 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
|
CWE-345 Insufficient Verification of Data Authenticity
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
https://github.com/matrix-org/matrix-react-sdk/commit/b386f0c73b95ecbb6ea7f8f79c6ff5171a8dedd1
https://github.com/matrix-org/matrix-react-sdk/pull/5657
https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-52mq-6jcv-j79x
https://www.npmjs.com/package/matrix-react-sdk