CVE-2023-30609

Name of the Vulnerable Software and Affected Versions matrix-react-sdk versions prior to 3.71.0

Description The issue concerns plain text messages containing HTML tags being rendered as HTML in search results. An attacker would need to trick a user into searching for a specific message with an HTML injection payload to exploit this. Although cross-site scripting is not possible due to the hardcoded content security policy, there are exceptions where resources from specific domains can be included, potentially leading to XSS vectors.

Recommendations For versions prior to 3.71.0, update to version 3.71.0 to resolve the issue. As a temporary workaround, restarting the client will clear the HTML injection.