CVE-2021-21332
MEDIUMSynapse < 1.27.0 - Cross-Site Scripting via Password Reset Endpoint
Title source: llmDescription
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains. This is fixed in version 1.27.0.
References (5)
Core 5
Core References
Third Party Advisory x_refsource_confirm
https://github.com/matrix-org/synapse/security/advisories/GHSA-246w-56m2-5899
Third Party Advisory x_refsource_misc
https://github.com/matrix-org/synapse/releases/tag/v1.27.0
Patch, Third Party Advisory x_refsource_misc
https://github.com/matrix-org/synapse/pull/9200
Patch, Third Party Advisory x_refsource_misc
https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/
Scores
CVSS v3
6.9
EPSS
0.0122
EPSS Percentile
64.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
fedoraproject/fedora
34
matrix/synapse
< 1.27.0
pypi/matrix-synapse
0 - 1.27.0PyPI
Published
Mar 26, 2021
Tracked Since
Feb 18, 2026