8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-30609

GHSA ID

GHSA-xv83-x443-7rmw

EPSS Score

0.58961%

CWE

CWE-74

Published

4/25/2023

Updated

11/4/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-30609

CVE-2023-30609: HTML injection in search results via plaintext message highlighting

Impact

Plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload.

Cross-site scripting is possible by including resources from recaptcha.net and gstatic.com which are included in the default CSP.

Thanks to Cadence Ember for finding the injection and to S1m for finding possible XSS vectors.

Patches

Version 3.71.0 of the SDK fixes the issue.

Workarounds

Restarting the client will clear the injection.

(GitHub Advisory)

8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-30609

GHSA ID

GHSA-xv83-x443-7rmw

EPSS Score

0.58961%

CWE

CWE-74

Published

4/25/2023

Updated

11/4/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
matrix-react-sdk	npm	< 3.71.0	3.71.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key functions: 1) bodyToHtml failed to escape plaintext messages before passing them to the highlighter, as shown in the diff adding escapeHtml(plainBody). 2) applyHighlights' JSDoc explicitly states it requires sanitized input but was receiving raw user-controlled data. The combination allowed HTML injection when plaintext messages containing HTML tags were highlighted in search results. The commit fixes this by adding HTML escaping in bodyToHtml before calling applyHighlights.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Pl*in t*xt m*ss***s *ont*inin* *TML t**s *r* r*n**r** *s *TML in t** s**r** r*sults. To *xploit t*is, *n *tt**k*r n***s to tri*k * us*r into s**r**in* *or * sp**i*i* m*ss*** *ont*inin* *n *TML inj**tion p*ylo**. *ross-sit* s*riptin* is po

Reasoning

T** vuln*r**ility st*mm** *rom two k*y *un*tions: *) `*o*yTo*tml` **il** to *s**p* pl*int*xt m*ss***s ***or* p*ssin* t**m to t** *i**li**t*r, *s s*own in t** *i** ***in* `*s**p**tml(pl*in*o*y)`. *) `*pply*i**li**ts`' JS*o* *xpli*itly st*t*s it r*quir

8.2

Basic Information

Concerned about an active attack path?

CVE-2023-30609: HTML injection in search results via plaintext message highlighting

Impact

Patches

Workarounds

8.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI