CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-38691 – matrix-appservice-bridge doesn't verify the sub parameter of an openId token exhange, allowing unauthorized access to provisioning APIs
https://notcve.org/view.php?id=CVE-2023-38691
matrix-appservice-bridge provides an API for setting up bridges. Starting in version 4.0.0 and prior to versions 8.1.2 and 9.0.1, a malicious Matrix server can use a foreign user's MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning API. The library does not check that the servername part of the `sub` parameter (containing the user's *claimed* MXID) is the the same as the servername we are talking to. A malicious actor could spin up a server on any given domain, respond with a `sub` parameter according to the user they want to act as and use the resulting token to perform provisioning requests. Versions 8.1.2 and 9.0.1 contain a patch. • https://github.com/matrix-org/matrix-appservice-bridge/commit/4c6723a5e7beda65cdf1ae5dbb882e8beaac8552 https://github.com/matrix-org/matrix-appservice-bridge/security/advisories/GHSA-vc7j-h8xg-fv5x • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38690 – matrix-appservice-irc IRC command injection via admin commands containing newlines
https://notcve.org/view.php?id=CVE-2023-38690
matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it is possible to craft a command with newlines which would not be properly parsed. This would mean you could pass a string of commands as a channel name, which would then be run by the IRC bridge bot. Versions 1.0.1 and above are patched. There are no robust workarounds to the bug. • https://github.com/matrix-org/matrix-appservice-irc/commit/0afb064635d37e039067b5b3d6423448b93026d3 https://github.com/matrix-org/matrix-appservice-irc/releases/tag/1.0.1 https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-3pmj-jqqp-2mj3 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38686 – Sydent does not verify email server certificates
https://notcve.org/view.php?id=CVE-2023-38686
Sydent is an identity server for the Matrix communications protocol. Prior to version 2.5.6, if configured to send emails using TLS, Sydent does not verify SMTP servers' certificates. This makes Sydent's emails vulnerable to interception via a man-in-the-middle (MITM) attack. Attackers with privileged access to the network can intercept room invitations and address confirmation emails. This is patched in Sydent 2.5.6. • https://docs.python.org/3/library/ssl.html?highlight=ssl#security-considerations https://github.com/matrix-org/sydent/commit/1cd748307c6b168b66154e6c4db715d4b9551261 https://github.com/matrix-org/sydent/pull/574 https://github.com/matrix-org/sydent/releases/tag/v2.5.6 https://github.com/matrix-org/sydent/security/advisories/GHSA-p6hw-wm59-3g5g https://github.com/python/cpython/issues/91826 https://peps.python.org/pep-0476 • CWE-295: Improper Certificate Validation •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-37259 – Cross site scripting in Export Chat feature
https://notcve.org/view.php?id=CVE-2023-37259
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored Cross site scripting (XSS). Since the Export Chat feature generates a separate document, an attacker can only inject code run from the `null` origin, restricting the impact. However, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side. • https://github.com/matrix-org/matrix-react-sdk/commit/22fcd34c606f32129ebc967fc21f24fb708a98b8 https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-c9vx-2g7w-rp65 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3383 – SourceCodester Game Result Matrix System GET Parameter athlete-profile.php sql injection
https://notcve.org/view.php?id=CVE-2023-3383
A vulnerability, which was classified as critical, was found in SourceCodester Game Result Matrix System 1.0. This affects an unknown part of the file /dipam/athlete-profile.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/M9KJ-TEAM/CVEReport/blob/main/SQL2.md https://vuldb.com/?ctiid.232239 https://vuldb.com/?id.232239 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •