Cinny vulnerable to access token disclosure via invalidated emoji pack avatar URL in service worker
A remote authenticated attacker who shares a room with a victim and has permissions to create room emotes (for example in a DM) can cause the victim's client to send their Matrix access token to an attacker-controlled server. This occurs when the victim opens the emoji or sticker picker for the room containing a malicious emote pack. The root causes are: (1) an incorrect fallback in EmojiBoard that uses untrusted …