What is the severity of CVE-2023-30609?

CVE-2023-30609 is considered a medium severity vulnerability due to potential cross-site scripting attacks.

How can I fix CVE-2023-30609?

To fix CVE-2023-30609, upgrade to matrix-react-sdk version 3.71.0 or later.

What type of attack is possible with CVE-2023-30609?

CVE-2023-30609 allows for cross-site scripting attacks by rendering plain text messages with HTML tags in search results.

Which software is affected by CVE-2023-30609?

CVE-2023-30609 affects versions of the matrix-react-sdk prior to 3.71.0.

What methods can an attacker use to exploit CVE-2023-30609?

An attacker can exploit CVE-2023-30609 by tricking a user into searching for a specific message that contains an HTML injection payload.

Vulnerability/
CVE-2023-30609

high

8.2

CWE

74 79

25/4/2023

2/8/2024

CVE-2023-30609: matrix-react-sdk vulnerable to HTML injection in search results via plaintext message highlighting

First published: Tue Apr 25 2023(Updated: )

### Impact Plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload. Cross-site scripting is possible by including resources from `recaptcha.net` and `gstatic.com` which are included in the default CSP. Thanks to [Cadence Ember](https://cadence.moe/) for finding the injection and to [S1m](https://github.com/p1gp1g/) for finding possible XSS vectors. ### Patches Version 3.71.0 of the SDK fixes the issue. ### Workarounds Restarting the client will clear the injection.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
npm/matrix-react-sdk	<3.71.0	3.71.0
Matrix React SDK	<3.71.0

Remedy

https://github.com/matrix-org/matrix-react-sdk/commit/bf182bc94556849d7acdfa0e5fdea2aa129ea826

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-30609?
CVE-2023-30609 is considered a medium severity vulnerability due to potential cross-site scripting attacks.
How can I fix CVE-2023-30609?
To fix CVE-2023-30609, upgrade to matrix-react-sdk version 3.71.0 or later.
What type of attack is possible with CVE-2023-30609?
CVE-2023-30609 allows for cross-site scripting attacks by rendering plain text messages with HTML tags in search results.
Which software is affected by CVE-2023-30609?
CVE-2023-30609 affects versions of the matrix-react-sdk prior to 3.71.0.
What methods can an attacker use to exploit CVE-2023-30609?
An attacker can exploit CVE-2023-30609 by tricking a user into searching for a specific message that contains an HTML injection payload.

collector/github-advisory-latest
alias/GHSA-xv83-x443-7rmw
alias/CVE-2023-30609
collector/github-advisory
agent/type
agent/first-publish-date
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/references
agent/severity
agent/title
agent/weakness
agent/remedy
agent/event
agent/description
agent/trending
agent/source
agent/tags
collector/nvd-cve
agent/software-canonical-lookup-request
collector/nvd-index
agent/author
package-manager/npm
vendor/matrix-react-sdk project
canonical/matrix react sdk

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.