CVE-2021-21332Cross-site Scripting in Synapse

CWE-79Cross-site Scripting6 documents5 sources
Severity
8.2HIGHNVD
CNA6.9
EPSS
0.5%
top 33.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Matrix-org SynapseMatrix SynapseFedoraproject Fedora
Timeline
PublishedMar 26

Description

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.7

Affected Packages2 packages

NVDmatrix/synapse< 1.27.0
CVEListV5matrix-org/synapse< 1.27.0

Also affects: Fedora 34

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
CVE-2021-21332: Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse)2021-03-26
GHSA
Cross-site scripting (XSS) vulnerability in the password reset endpoint2021-03-26
CVEList
Cross-site scripting (XSS) vulnerability in the password reset endpoint2021-03-26
OSV
Cross-site scripting (XSS) vulnerability in the password reset endpoint2021-03-26

📋Vendor Advisories

1
Debian
CVE-2021-21332: matrix-synapse - Synapse is a Matrix reference homeserver written in python (pypi package matrix-...2021
CVE-2021-21332 — Cross-site Scripting in Synapse | cvebase