CVE-2023-41318

Name of the Vulnerable Software and Affected Versions matrix-media-repo versions prior to 1.3.0

Description The issue allows an attacker to upload malicious media to the media repository, which is then served with Content-Disposition: inline upon download. This can be leveraged to execute scripts embedded in SVG content. The vulnerability can be exploited through the / matrix/media/(r0|v3)/download endpoint. Server operators that do not share a domain between matrix-media-repo and other services are not affected.

Recommendations For versions prior to 1.3.0, upgrade to v1.3.0 as soon as possible. As a temporary workaround for operators unable to upgrade, override the Content-Disposition header returned by matrix-media-repo to always use attachment.