CVE-2021-21333Injection in Synapse

CWE-74InjectionCWE-79Cross-site Scripting6 documents5 sources
Severity
6.1MEDIUMNVD
EPSS
0.4%
top 40.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Matrix-org SynapseMatrix SynapseFedoraproject Fedora
Timeline
PublishedMar 26

Description

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and t

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:NExploitability: 1.6 | Impact: 4.0

Affected Packages2 packages

NVDmatrix/synapse< 1.27.0
CVEListV5matrix-org/synapse< 1.27.0

Also affects: Fedora 34

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
CVE-2021-21333: Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse)2021-03-26
OSV
HTML injection in email and account expiry notifications2021-03-26
GHSA
HTML injection in email and account expiry notifications2021-03-26
CVEList
HTML injection in email and account expiry notifications2021-03-26

📋Vendor Advisories

1
Debian
CVE-2021-21333: matrix-synapse - Synapse is a Matrix reference homeserver written in python (pypi package matrix-...2021
CVE-2021-21333 — Injection in Matrix-org Synapse | cvebase