SB2021032548 - Multiple vulnerabilities in Synapse

Description

This security bulletin contains information about 2 vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2021-21333)

The vulnerability allows a remote user to inject forged content into notification emails.

The vulnerability exists due to improper neutralization of input during web page generation in email notification templates when rendering missed message notifications. A remote user can send crafted content to inject forged content into notification emails.

The account expiry notification path is also affected, but that injection is not controllable by an attacker.

2) Cross-site scripting (CVE-ID: CVE-2021-21332)

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in the password reset endpoint when handling password reset token submission. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.

The impact may include access to cookies and other browser data, CSRF exposure, and access to other resources served on the same domain or parent domains.

Remediation

Install update from vendor's website.

References

• https://github.com/matrix-org/synapse/security/advisories/GHSA-c5f8-35qr-q4fm
• https://github.com/matrix-org/synapse/pull/9200
• https://github.com/matrix-org/synapse/security/advisories/GHSA-246w-56m2-5899
• https://github.com/matrix-org/synapse/advisories/GHSA-246w-56m2-5899