CVE-2021-21333

Description

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. This is fixed in version 1.27.0.

Related CPE's

a matrix synapse ********

References

https://github.com/matrix-org/synapse/pull/9200

PatchThird Party Advisory

https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df

PatchThird Party Advisory

https://github.com/matrix-org/synapse/releases/tag/v1.27.0

Third Party Advisory

https://github.com/matrix-org/synapse/security/advisories/GHSA-c5f8-35qr-q4fm

PatchThird Party Advisory

CvssV3 impact

BaseSeverity	MEDIUM
ConfidentialityImpact	NONE
AttackComplexity	HIGH
Scope	CHANGED
AttackVector	NETWORK
AvailabilityImpact	NONE
IntegrityImpact	HIGH
PrivilegesRequired	NONE
BaseScore	6.1
VectorString	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
Version	3.1
UserInteraction	REQUIRED

CvssV2 impact

AccessComplexity	HIGH
ConfidentialityImpact	NONE
AvailabilityImpact	NONE
IntegrityImpact	PARTIAL
BaseScore	2.6
VectorString	AV:N/AC:H/Au:N/C:N/I:P/A:N
Version	2.0
AccessVector	NETWORK
Authentication	NONE