Vulnerability Description
Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the preview in a separate tab. This only impacts the local user while in the process of uploading. It cannot be exploited remotely or by other users. This vulnerability is patched in version 3.21.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Matrix-React-Sdk Project | Matrix-React-Sdk | < 3.21.0 |
Related Weaknesses (CWE)
References
- https://github.com/matrix-org/matrix-react-sdk/pull/5981PatchThird Party Advisory
- https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-8796-gc9PatchThird Party Advisory
- https://github.com/matrix-org/matrix-react-sdk/pull/5981PatchThird Party Advisory
- https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-8796-gc9PatchThird Party Advisory
FAQ
What is CVE-2021-32622?
CVE-2021-32622 is a vulnerability with a CVSS score of 4.2 (MEDIUM). Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts emb...
How severe is CVE-2021-32622?
CVE-2021-32622 has been rated MEDIUM with a CVSS base score of 4.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32622?
Check the references section above for vendor advisories and patch information. Affected products include: Matrix-React-Sdk Project Matrix-React-Sdk.