CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43656 – Sandbox escape for instances that have enabled transformation functions in matrix-hookshot
https://notcve.org/view.php?id=CVE-2023-43656
27 Sep 2023 — matrix-hookshot is a Matrix bot for connecting to external services like GitHub, GitLab, JIRA, and more. Instances that have enabled transformation functions (those that have `generic.allowJsTransformationFunctions` in their config), may be vulnerable to an attack where it is possible to break out of the `vm2` sandbox and as a result Hookshot will be vulnerable to this. This problem is only likely to affect users who have allowed untrusted users to apply their own transformation functions. If you have only ... • https://github.com/matrix-org/matrix-hookshot/commit/dc126afa6af86d66aefcd23a825326f405bcc894 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 3.7EPSS: 0%CPEs: 3EXPL: 0CVE-2023-41335 – Temporary storage of plaintext passwords during password changes in matrix synapse
https://notcve.org/view.php?id=CVE-2023-41335
26 Sep 2023 — Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the users' passwords as part of the authentication process—it does disrupt the expectation that passwords won't be stored in the database. As a result, these passwords could inadvertently be captured in database backups for a longer durati... • https://github.com/matrix-org/synapse/pull/16272 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-42453 – Improper validation of receipts allows forged read receipts in matrix synapse
https://notcve.org/view.php?id=CVE-2023-42453
26 Sep 2023 — Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Users were able to forge read receipts for any event (if they knew the room ID and event ID). Note that the users were not able to view the events, but simply mark it as read. This could be confusing as clients will show the event as read by the user, even if they are not in the room. This issue has been patched in version 1.93.0. • https://github.com/matrix-org/synapse/pull/16327 • CWE-285: Improper Authorization •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38700 – matrix-appservice-irc events can be crafted to leak parts of targeted messages from other bridged rooms
https://notcve.org/view.php?id=CVE-2023-38700
04 Aug 2023 — matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target. Version 1.0.1n fixes this issue. As a workaround, set the `matrixHandler.eventCacheSize` config value to `0`. • https://github.com/matrix-org/matrix-appservice-irc/commit/8bbd2b69a16cbcbeffdd9b5c973fd89d61498d75 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-38691 – matrix-appservice-bridge doesn't verify the sub parameter of an openId token exhange, allowing unauthorized access to provisioning APIs
https://notcve.org/view.php?id=CVE-2023-38691
04 Aug 2023 — matrix-appservice-bridge provides an API for setting up bridges. Starting in version 4.0.0 and prior to versions 8.1.2 and 9.0.1, a malicious Matrix server can use a foreign user's MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning API. The library does not check that the servername part of the `sub` parameter (containing the user's *claimed* MXID) is the the same as the servername we are talking to. A malicious actor could spin up a server on any given domain,... • https://github.com/matrix-org/matrix-appservice-bridge/commit/4c6723a5e7beda65cdf1ae5dbb882e8beaac8552 • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38690 – matrix-appservice-irc IRC command injection via admin commands containing newlines
https://notcve.org/view.php?id=CVE-2023-38690
04 Aug 2023 — matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it is possible to craft a command with newlines which would not be properly parsed. This would mean you could pass a string of commands as a channel name, which would then be run by the IRC bridge bot. Versions 1.0.1 and above are patched. There are no robust workarounds to the bug. • https://github.com/matrix-org/matrix-appservice-irc/commit/0afb064635d37e039067b5b3d6423448b93026d3 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38686 – Sydent does not verify email server certificates
https://notcve.org/view.php?id=CVE-2023-38686
04 Aug 2023 — Sydent is an identity server for the Matrix communications protocol. Prior to version 2.5.6, if configured to send emails using TLS, Sydent does not verify SMTP servers' certificates. This makes Sydent's emails vulnerable to interception via a man-in-the-middle (MITM) attack. Attackers with privileged access to the network can intercept room invitations and address confirmation emails. This is patched in Sydent 2.5.6. • https://docs.python.org/3/library/ssl.html?highlight=ssl#security-considerations • CWE-295: Improper Certificate Validation •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-37259 – Cross site scripting in Export Chat feature
https://notcve.org/view.php?id=CVE-2023-37259
18 Jul 2023 — matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored Cross site scripting (XSS). Since the Export Chat feature generates a separate document, an attacker can only inject code run from the `null` origin, restricting the impact. However, the attacker can still potentially use the XSS to leak message contents. A malicious homese... • https://github.com/matrix-org/matrix-react-sdk/commit/22fcd34c606f32129ebc967fc21f24fb708a98b8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3383 – SourceCodester Game Result Matrix System GET Parameter athlete-profile.php sql injection
https://notcve.org/view.php?id=CVE-2023-3383
23 Jun 2023 — A vulnerability, which was classified as critical, was found in SourceCodester Game Result Matrix System 1.0. This affects an unknown part of the file /dipam/athlete-profile.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/M9KJ-TEAM/CVEReport/blob/main/SQL2.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3382 – SourceCodester Game Result Matrix System GET Parameter save-delegates.php cross site scripting
https://notcve.org/view.php?id=CVE-2023-3382
23 Jun 2023 — A vulnerability, which was classified as problematic, has been found in SourceCodester Game Result Matrix System 1.0. Affected by this issue is some unknown functionality of the file /dipam/save-delegates.php of the component GET Parameter Handler. The manipulation of the argument del_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/M9KJ-TEAM/CVEReport/blob/main/XSS3.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •