CVE-2021-32622

low-risk
Published 2021-05-17

Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the preview in a separate tab. This only impacts the local user while in the process of uploading. It cannot be exploited remotely or by other users. This vulnerability is patched in version 3.21.0.

Do I need to act?

-
0.17% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.2/10 Medium
LOCAL / HIGH complexity

Affected Products (1)

Matrix-React-Sdk

Affected Vendors

Matrix-React-Sdk Project

References (4)

Patch https://github.com/matrix-org/matrix-react-sdk/pull/5981
Patch https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-8796-gc9...
Patch https://github.com/matrix-org/matrix-react-sdk/pull/5981
Patch https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-8796-gc9...
17
/ 100
low-risk
Severity 11/34 · Low
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal