CVE-2021-21333 – matrix-synapse

Package

Manager: pip
Name: matrix-synapse
Vulnerable Version: >=0 <1.27.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N

EPSS: 0.00264 pctl0.49654

Details

HTML injection in email and account expiry notifications ### Impact The notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. ### Patches This issue is fixed in #9200. ### Workarounds For the missed messages notifications: The `notif.html`, `notif_mail.html`, and `room.html` templates can be overridden with custom templates that manually escapes the variables using [JInja2's `escape` filter](https://jinja.palletsprojects.com/en/2.11.x/templates/#escape). See the `email.template_dir` setting. For the account expiry notifications: 1. Account expiry can be disabled via the `account_validity.enabled` setting. 2. The `notice_expiry.html` template can be overridden with a custom template that manually escapes the variables using [JInja2's `escape` filter](https://jinja.palletsprojects.com/en/2.11.x/templates/#escape). See the `email.template_dir` setting.

Metadata

Created: 2021-03-26T19:53:04Z
Modified: 2024-09-30T20:35:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-c5f8-35qr-q4fm/GHSA-c5f8-35qr-q4fm.json
CWE IDs: ["CWE-74", "CWE-79"]
Alternative ID: GHSA-c5f8-35qr-q4fm
Finding: F425
Auto approve: 1