Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTI0NnctNTZtMi01ODk5

Cross-site scripting (XSS) vulnerability in the password reset endpoint

Impact

The password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains.

Patches

This is fixed in #9200.

Workarounds

Depending on the needs and configuration of the homeserver a few options are available:

  1. Password resets can be disabled by delegating email to a third-party service (via the account_threepid_delegates.email setting) or disabling email (by not configuring the email setting).

  2. If the homeserver is not configured to use passwords (via the password_config.enabled setting) then the affected endpoint can be blocked at a reverse proxy:

    • /_synapse/client/password_reset/email/submit_token
  3. The password_reset_confirmation.html template can be overridden with a custom template that manually escapes the variables using JInja2's escape filter. See the email.template_dir setting.

Permalink: https://github.com/advisories/GHSA-246w-56m2-5899
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTI0NnctNTZtMi01ODk5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: over 1 year ago


CVSS Score: 6.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

Identifiers: GHSA-246w-56m2-5899, CVE-2021-21332
References: Repository: https://github.com/matrix-org/synapse
Blast Radius: 9.8

Affected Packages

pypi:matrix-synapse
Dependent packages: 6
Dependent repositories: 26
Downloads: 11,785 last month
Affected Version Ranges: < 1.27.0
Fixed in: 1.27.0
All affected versions: 0.33.5, 0.33.6, 0.33.7, 0.33.8, 0.33.9, 0.34.0, 0.99.0, 0.99.1, 0.99.2, 0.99.3, 0.99.4, 0.99.5, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.13.0, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.16.0, 1.16.1, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.20.0, 1.20.1, 1.21.0, 1.21.1, 1.21.2, 1.22.0, 1.22.1, 1.23.0, 1.23.1, 1.24.0, 1.25.0, 1.26.0
All unaffected versions: 1.27.0, 1.28.0, 1.29.0, 1.30.0, 1.30.1, 1.31.0, 1.32.0, 1.32.1, 1.32.2, 1.33.0, 1.33.1, 1.33.2, 1.34.0, 1.35.0, 1.35.1, 1.36.0, 1.37.0, 1.37.1, 1.38.0, 1.38.1, 1.39.0, 1.40.0, 1.41.0, 1.41.1, 1.42.0, 1.43.0, 1.44.0, 1.45.0, 1.45.1, 1.46.0, 1.47.0, 1.47.1, 1.48.0, 1.49.0, 1.49.2, 1.50.0, 1.50.1, 1.50.2, 1.51.0, 1.52.0, 1.53.0, 1.54.0, 1.55.0, 1.55.1, 1.55.2, 1.56.0, 1.57.0, 1.57.1, 1.58.0, 1.58.1, 1.59.0, 1.59.1, 1.60.0, 1.61.0, 1.61.1, 1.62.0, 1.63.0, 1.63.1, 1.64.0, 1.65.0, 1.66.0, 1.67.0, 1.68.0, 1.69.0, 1.70.0, 1.70.1, 1.71.0, 1.72.0, 1.73.0, 1.74.0, 1.75.0, 1.76.0, 1.77.0, 1.78.0, 1.79.0, 1.80.0, 1.81.0, 1.82.0, 1.83.0, 1.84.0, 1.84.1, 1.85.0, 1.85.1, 1.85.2, 1.86.0, 1.87.0, 1.88.0, 1.89.0, 1.90.0, 1.91.0, 1.91.1, 1.91.2, 1.92.1, 1.92.2, 1.92.3, 1.93.0, 1.94.0, 1.95.0, 1.95.1, 1.96.1, 1.97.0, 1.98.0, 1.99.0, 1.100.0, 1.101.0, 1.102.0, 1.103.0, 1.104.0, 1.105.0, 1.105.1, 1.106.0, 1.107.0, 1.108.0, 1.109.0