[FREEBSD:5B0AE405-CDC7-11ED-BB39-901B0E9408DC] Matrix clients -- Prototype pollution in matrix-js-sdk

Severity High

Affected Packages 2

CVEs 2

Matrix developers report:

  Today we are issuing security releases of matrix-js-sdk and matrix-react-sdk
  to patch a pair of High severity vulnerabilities (CVE-2023-28427 /
  GHSA-mwq8-fjpf-c2gr for matrix-js-sdk and CVE-2023-28103 / GHSA-6g43-88cp-w5gv
  for matrix-react-sdk).
  The issues involve prototype pollution via events containing special strings
  in key locations, which can temporarily disrupt normal functioning of matrix-js-sdk
  and matrix-react-sdk, potentially impacting the consumer's ability to process data
  safely.

Package	Affected Version
pkg:freebsd/element-web	< 1.11.26
pkg:freebsd/cinny

ID

FREEBSD:5B0AE405-CDC7-11ED-BB39-901B0E9408DC

Severity

high

Severity from

CVE-2023-28103

URL

http://vuxml.freebsd.org/freebsd/5b0ae405-cdc7-11ed-bb39-901b0e9408dc.html

Published

2023-03-28T00:00:00
(18 months ago)

Modified

2023-03-29T00:00:00
(18 months ago)

Rights

FreeBSD VuXML Security Team

Other Advisories

Source	# ID	Name	URL
FreeBSD VuXML			https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:freebsd/element-web		element-web	< 1.11.26
Affected	pkg:freebsd/cinny		cinny

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date