CVE-2021-32622 – File upload local preview can run embedded scripts after user interaction

https://notcve.org/view.php?id=CVE-2021-32622

Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the preview in a separate tab. This only impacts the local user while in the process of uploading. It cannot be exploited remotely or by other users. • https://github.com/matrix-org/matrix-react-sdk/pull/5981 https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-8796-gc9j-63rv • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •