Description
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. This is fixed in version 1.27.0.
References (5)
Core 5
Core References
Third Party Advisory x_refsource_misc
https://github.com/matrix-org/synapse/releases/tag/v1.27.0
Patch, Third Party Advisory x_refsource_misc
https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df
Patch, Third Party Advisory x_refsource_confirm
https://github.com/matrix-org/synapse/security/advisories/GHSA-c5f8-35qr-q4fm
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/
Patch, Third Party Advisory x_refsource_misc
https://github.com/matrix-org/synapse/pull/9200
Scores
CVSS v3
6.1
EPSS
0.0039
EPSS Percentile
59.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
Details
CWE
CWE-74
CWE-79
Status
published
Products (3)
fedoraproject/fedora
34
matrix/synapse
< 1.27.0
pypi/matrix-synapse
0 - 1.27.0PyPI
Published
Mar 26, 2021
Tracked Since
Feb 18, 2026