CVE-2021-21332 – matrix-synapse

Package

Manager: pip
Name: matrix-synapse
Vulnerable Version: >=0 <1.27.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

EPSS: 0.00505 pctl0.65226

Details

Cross-site scripting (XSS) vulnerability in the password reset endpoint ### Impact The password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains. ### Patches This is fixed in #9200. ### Workarounds Depending on the needs and configuration of the homeserver a few options are available: 1. Password resets can be disabled by delegating email to a third-party service (via the `account_threepid_delegates.email` setting) or disabling email (by not configuring the `email` setting). 2. If the homeserver is not configured to use passwords (via the `password_config.enabled` setting) then the affected endpoint can be blocked at a reverse proxy: * `/_synapse/client/password_reset/email/submit_token` 3. The `password_reset_confirmation.html` template can be overridden with a custom template that manually escapes the variables using [JInja2's `escape` filter](https://jinja.palletsprojects.com/en/2.11.x/templates/#escape). See the `email.template_dir` setting.

Metadata

Created: 2021-03-26T19:52:54Z
Modified: 2024-09-30T20:30:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-246w-56m2-5899/GHSA-246w-56m2-5899.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-246w-56m2-5899
Finding: F425
Auto approve: 1