Bug 1213436 (CVE-2023-37259)

Summary: VUL-0: CVE-2023-37259: element-web,matrix-react-sdk: Potential for XSS in Export Chat feature
Product: [openSUSE] openSUSE Tumbleweed Reporter: Robert Frohl <rfrohl>
Component: SecurityAssignee: Dominik Heidler <dheidler>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/372829/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2023-07-18 15:42:39 UTC 
Description

The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored XSS.
Impact

Since the Export Chat feature generates a separate document, an attacker can only inject code run from the null origin, restricting the impact.

However, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side.
Patches

Has the problem been patched? What versions should users upgrade to?
Workarounds

None, other than not using the Export Chat feature.
References

Are there any links users can visit to find out more?

References:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2023-37259
https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-c9vx-2g7w-rp65
https://github.com/vector-im/element-web/releases/tag/v1.11.36
Comment 1 Robert Frohl 2023-07-18 15:43:58 UTC 
affects openSUSE:Factory/element-web
Comment 2 Dominik Heidler 2023-07-19 08:16:52 UTC 
Already accepted to factory: https://build.opensuse.org/request/show/1099307
(also https://build.opensuse.org/request/show/1099308 for element-desktop)