CVE-2021-21320

Name of the Vulnerable Software and Affected Versions matrix-react-sdk versions prior to 3.15.0

Description The user content sandbox in matrix-react-sdk can be abused to trick users into opening unexpected documents. This is achieved through several user interactions, allowing the content to be opened with a blob origin. However, it is noted that the content opened in this manner cannot access Matrix user data, so messages and secrets are not at risk.

Recommendations For versions prior to 3.15.0, update to version 3.15.0 to resolve the issue. As a temporary workaround, consider restricting user interactions that could lead to the abuse of the user content sandbox until the update is applied.