CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21333 – HTML injection in email and account expiry notifications
https://notcve.org/view.php?id=CVE-2021-21333
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. • https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df https://github.com/matrix-org/synapse/pull/9200 https://github.com/matrix-org/synapse/releases/tag/v1.27.0 https://github.com/matrix-org/synapse/security/advisories/GHSA-c5f8-35qr-q4fm https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.2EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21332 – Cross-site scripting (XSS) vulnerability in the password reset endpoint
https://notcve.org/view.php?id=CVE-2021-21332
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains. This is fixed in version 1.27.0. • https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df https://github.com/matrix-org/synapse/pull/9200 https://github.com/matrix-org/synapse/releases/tag/v1.27.0 https://github.com/matrix-org/synapse/security/advisories/GHSA-246w-56m2-5899 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21273 – Open redirects on some federation and push requests
https://notcve.org/view.php?id=CVE-2021-21273
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the user, although limited modification of request bodies was possible. • https://github.com/matrix-org/synapse/commit/30fba6210834a4ecd91badf0c8f3eb278b72e746 https://github.com/matrix-org/synapse/pull/8821 https://github.com/matrix-org/synapse/releases/tag/v1.25.0 https://github.com/matrix-org/synapse/security/advisories/GHSA-v936-j8gp-9q3p https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26257 – Denial of service attack via incorrect parameters to federation APIs
https://notcve.org/view.php?id=CVE-2020-26257
Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference "homeserver" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a `/send_join`, `/send_leave`, `/invite` or `/exchange_third_party_invite` request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers. • https://github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-12-09 https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b https://github.com/matrix-org/synapse/pull/8776 https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QR4MMYZKX5N5GYG • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-26890
https://notcve.org/view.php?id=CVE-2020-26890
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into the room's state, the impact is long-lasting and is not fixed by an upgrade to a newer version, requiring the event to be manually redacted instead. Since events are replicated to servers of other room members, the impact is not constrained to the server of the event sender. Matrix Synapse versiones anteriores a 1.20.0, permite erróneamente valores de JSON NaN, Infinity e -Infinity no estándar en campos de eventos m.room.member, permitiendo a atacantes remotos ejecutar un ataque de denegación de servicio contra la federación y unos clientes comunes de Matrix. Si un evento malformado es aceptado en el estado de la sala, el impacto es duradero y no es corregido con una actualización a una versión más nueva, requiriendo que el evento sea redactado manualmente. • https://github.com/matrix-org/synapse/security/advisories/GHSA-4mp3-385r-v63f https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ • CWE-20: Improper Input Validation •