Impact
The vulnerability allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message.
Incorrect handling of a CR character allowed for making part of the message be sent to the IRC server verbatim rather than as a message to the channel.
Patches
The vulnerability has been patched in node-irc version 1.2.1.
References
Credits
Discovered by Val Lorentz.
For more information
If you have any questions or comments about this advisory, email us at security@matrix.org.
Impact
The vulnerability allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message.
Incorrect handling of a CR character allowed for making part of the message be sent to the IRC server verbatim rather than as a message to the channel.
Patches
The vulnerability has been patched in node-irc version 1.2.1.
References
Credits
Discovered by Val Lorentz.
For more information
If you have any questions or comments about this advisory, email us at security@matrix.org.