Cross-site scripting in Synapse - CVE-2021-21332
Published: March 25, 2021 / Updated: May 4, 2026
Vulnerability identifier: #VU129608
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2021-21332
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Synapse
Synapse
Software vendor:
Matrix.org
Matrix.org
Description
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting in the password reset endpoint when handling password reset token submission. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.
The impact may include access to cookies and other browser data, CSRF exposure, and access to other resources served on the same domain or parent domains.
Remediation
Install security update from vendor's website.