Filtered by vendor Matrix Subscriptions

Search

Switch to Advanced Search (Beta)
Total 85 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2018-12423 1 Matrix 1 Synapse 2024-11-21 N/A
In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force.
CVE-2018-12291 1 Matrix 1 Synapse 2024-11-21 N/A
The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly.
CVE-2018-10657 1 Matrix 1 Synapse 2024-11-21 N/A
Matrix Synapse before 0.28.1 is prone to a denial of service flaw where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py, as exploited in the wild in April 2018.
CVE-2024-42369 1 Matrix 1 Javascript Sdk 2024-09-03 4.1 Medium
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's getRoomUpgradeHistory function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug. This was patched in matrix-js-sdk 34.3.1.
CVE-2024-42347 1 Matrix 1 Matrix-react-sdk 2024-08-12 7.7 High
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. This was patched in matrix-react-sdk 3.105.0. Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected. Users are advised to upgrade. There are no known workarounds for this vulnerability.