CVE-2023-30609: 
JavaScript vulnerability analysis and mitigation

matrix-react-sdk, a react-based SDK for inserting a Matrix chat/VoIP client into a web page, was found to contain a vulnerability (CVE-2023-30609) prior to version 3.71.0. The vulnerability allowed plain text messages containing HTML tags to be rendered as HTML in the search results (NVD, GitHub Advisory).

The vulnerability stems from improper neutralization of HTML elements in plaintext messages when displayed in search results. When a user searches for specific content, any HTML tags present in plaintext messages would be rendered as actual HTML rather than being escaped. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (MEDIUM) by NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N, while GitHub assessed it with a score of 5.4 (MEDIUM) (NVD).

The vulnerability could allow an attacker to inject HTML content into the search results display. While cross-site scripting (XSS) attacks were limited due to the hardcoded content security policy, it was possible to include resources from recaptcha.net and gstatic.com which were included in the default CSP (GitHub Advisory).

The vulnerability was patched in version 3.71.0 of the matrix-react-sdk. As a temporary workaround, users can restart the client to clear any HTML injection. Users are advised to upgrade to version 3.71.0 or later to fully address the vulnerability (GitHub Advisory).

The vulnerability was discovered by security researchers Cadence Ember, who found the injection vulnerability, and S1m, who identified possible XSS vectors (GitHub Advisory).