Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1oNzQtNG01Zy1mY2p4

Moderate CVSS: 6.9 EPSS: 0.0025% (0.48412 Percentile) EPSS:
Permalink JSON

Malicious users could abuse Sydent to control the content of invitation emails

Affected Packages Affected Versions Fixed Versions
pypi:matrix-sydent
PURL: pkg:pypi/matrix-sydent
< 2.3.0 2.3.0
0 Dependent packages
1 Dependent repositories
826 Downloads last month

Affected Version Ranges

All affected versions

2.0.0, 2.0.1, 2.1.0, 2.2.0

All unaffected versions

2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.6.0, 2.6.1

Impact

A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example.

Patches

Fixed in 4469d1d, 6b405a8, 65a6e91.

Note that these patches include changes to the default email templates. If these templates have been locally modified, they must also be updated.

For more information

If you have any questions or comments about this advisory, email us at security@matrix.org.

References:

Identifiers

GHSA-mh74-4m5g-fcjx

CVE-2021-29432

Risk

Severity

Moderate

CVSS

CVSS Score: 6.9

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.0025

EPSS Percentile: 0.48412

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/matrix-org/sydent

Date and time

Published

over 4 years ago

Updated

about 1 year ago

API

JSON