Improper Input Validation

Affecting matrix-synapse package, versions [,1.27.0)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

matrix-synapse is an ecosystem for open federated Instant Messaging and VoIP.

Affected versions of this package are vulnerable to Improper Input Validation. HTML injection is possible in notification emails regarding missed messages or expiring account. In the case of notifications for missed messages, an attacker can inject forged content into the email. However, the account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker.

Remediation

Upgrade matrix-synapse to version 1.27.0 or higher.

References

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Credit
Unknown
CVE
CVE-2021-21333
CWE
CWE-74
Snyk ID
SNYK-PYTHON-MATRIXSYNAPSE-1089448
Disclosed
26 Mar, 2021
Published
29 Mar, 2021