CVEs-PoC/2021/CVE-2021-21320.md

### [CVE-2021-21320](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21320)
![](https://img.shields.io/static/v1?label=Product&message=matrix-react-sdk&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%203.15.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-345%20Insufficient%20Verification%20of%20Data%20Authenticity&color=brightgreen)

### Description

matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a `blob` origin that cannot access Matrix user data, so messages and secrets are not at risk. This has been fixed in version 3.15.0.

### POC

#### Reference
- https://www.npmjs.com/package/matrix-react-sdk

#### Github
No PoCs found on GitHub currently.