CVE-2021-21333

 

Published at: - 26-03-2021 09:15

Last modified: - 22-10-2022 12:42

Total changes: - 5

Description

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. This is fixed in version 1.27.0.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N

 

Verification logic

 

Reference

• https://github.com/matrix-org/synapse/pull/9200
• https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df
• https://github.com/matrix-org/synapse/releases/tag/v1.27.0
• https://github.com/matrix-org/synapse/security/advisories/GHSA-c5f8-35qr-q4fm
• FEDORA-2021-a627cfd31e-Mailing List, Third Party Advisory

 

Keywords

NVD

 

CVE-2021-21333

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures