First published: Fri Mar 26 2021(Updated: )
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. This is fixed in version 1.27.0.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Matrix Synapse | <1.27.0 | |
Fedoraproject Fedora | =34 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-21333 is a vulnerability in Synapse, a Matrix reference homeserver, that allows an attacker to intercept email notifications for missed messages or expiring accounts.
CVE-2021-21333 has a severity level of 6.1 (medium).
The affected software for CVE-2021-21333 includes Matrix Synapse versions up to and excluding 1.27.0, as well as Fedoraproject Fedora version 34.
To fix CVE-2021-21333, upgrade Matrix Synapse to version 1.27.0 or higher.
The CWE classifications for CVE-2021-21333 are CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).