Cross-site scripting in Synapse - CVE-2021-21333

 

Cross-site scripting in Synapse - CVE-2021-21333

Published: March 25, 2021 / Updated: May 4, 2026


Vulnerability identifier: #VU129604
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-21333
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Matrix.org
Affected software:
Synapse

Detailed vulnerability description

The vulnerability allows a remote user to inject forged content into notification emails.

The vulnerability exists due to improper neutralization of input during web page generation in email notification templates when rendering missed message notifications. A remote user can send crafted content to inject forged content into notification emails.

The account expiry notification path is also affected, but that injection is not controllable by an attacker.


How to mitigate CVE-2021-21333

Install security update from vendor's website.

Sources