CVE-2023-37259: 
JavaScript vulnerability analysis and mitigation

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. The vulnerability (CVE-2023-37259) was discovered in the Export Chat feature, which includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored Cross-site scripting (XSS). The issue was addressed in version 3.76.0 (Matrix Advisory).

The vulnerability stems from insufficient escaping of attacker-controlled elements in the generated document when using the Export Chat feature. Since the Export Chat feature generates a separate document, an attacker can only inject code run from the null origin. The vulnerability affects versions from 3.32.0 up to (excluding) 3.76.0. The issue has been assigned a CVSS v3.1 base score of 6.1 (Medium) with vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N (Matrix Advisory).

While the impact is restricted due to code execution being limited to the null origin, attackers can potentially use the XSS vulnerability to leak message contents. A malicious homeserver can act as an attacker since the affected inputs are controllable server-side (Matrix Advisory).

The vulnerability has been patched in version 3.76.0 with commit 22fcd34c60. Users are advised to upgrade to this version or later. The only known workaround for users unable to upgrade is to disable or avoid using the Export Chat feature (Matrix Advisory).