Описание
File upload local preview can run embedded scripts after user interaction
Impact
When uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file, but only after several user interactions to open the preview in a separate tab. This only impacts the local user while in the process of uploading. It cannot be exploited remotely or by other users.
Patches
This has been fixed by https://github.com/matrix-org/matrix-react-sdk/pull/5981, which is included in 3.21.0.
Workarounds
There are no known workarounds.
Пакеты
Наименование
matrix-react-sdk
npm
Затронутые версииВерсия исправления
< 3.21.0
3.21.0
4.2 Medium
CVSS3
Дефекты
CWE-74
4.2 Medium
CVSS3
Дефекты
CWE-74