User Content Sandbox Bypass in matrix-react-sdk before 3.15.0

User Content Sandbox Bypass in matrix-react-sdk before 3.15.0

CVE-2021-21320 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a `blob` origin that cannot access Matrix user data, so messages and secrets are not at risk. This has been fixed in version 3.15.0.

Learn more about our User Device Pen Test.