CVE-2023-32323 – Synapse Outgoing federation to specific hosts can be disabled by sending malicious invites
https://notcve.org/view.php?id=CVE-2023-32323
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. • https://github.com/matrix-org/synapse/issues/14492 https://github.com/matrix-org/synapse/pull/14642 https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD • CWE-20: Improper Input Validation •
CVE-2023-30609 – matrix-react-sdk vulnerable to HTML injection in search results via plaintext message highlighting
https://notcve.org/view.php?id=CVE-2023-30609
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload. No cross-site scripting attack is possible due to the hardcoded content security policy. Version 3.71.0 of the SDK patches over the issue. • https://github.com/matrix-org/matrix-react-sdk/commit/bf182bc94556849d7acdfa0e5fdea2aa129ea826 https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.71.0 https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-xv83-x443-7rmw • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2023-29529 – matrix-js-sdk vulnerable to invisible eavesdropping in group calls
https://notcve.org/view.php?id=CVE-2023-29529
matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call. This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. Affected versions do not restrict access to the user's outbound media in this case. • https://github.com/matrix-org/matrix-js-sdk/releases/tag/v24.1.0 https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6g67-q39g-r79q https://github.com/matrix-org/matrix-spec-proposals/pull/3401 • CWE-862: Missing Authorization •
CVE-2022-36060 – Prototype pollution in matrix-react-sdk
https://notcve.org/view.php?id=CVE-2022-36060
matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered. This issue has been fixed in matrix-react-sdk 3.53.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-2x9c-qwgf-94xr • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVE-2023-28103 – Prototype pollution in matrix-react-sdk
https://notcve.org/view.php?id=CVE-2023-28103
matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the `Object.prototype`, disrupting matrix-react-sdk functionality, causing denial of service and potentially affecting program logic. This is fixed in matrix-react-sdk 3.69.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. Note this advisory is distinct from GHSA-2x9c-qwgf-94xr which refers to a similar issue. • https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-6g43-88cp-w5gv https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •