CVE-2021-21320 LOW

CVE-2021-21320: User content sandbox can be confused into opening arbitrary documents

Vendor Matrix-Org
Product matrix-react-sdk
Weakness CWE-345
Published March 2, 2021
Last update August 3, 2024

CVSS base score

2.6/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a `blob` origin that cannot access Matrix user data, so messages and secrets are not at risk. This has been fixed in version 3.15.0.

Key dates

02Disclosure timeline

March 2, 2021 CVE published
August 3, 2024 Record updated