CVE-2021-21333
HTML injection in email and account expiry notifications
In short
Synapse sends notification emails that don't properly escape HTML, allowing attackers to inject malicious code into missed message notifications. This could trick users into clicking harmful links or believing fake messages came from the server.
Technical detail
HTML injection vulnerability in Synapse's email notification templates (CWE-74) affects missed message alerts where user-controlled input is not sanitized before rendering in HTML context. Attack requires an attacker to craft messages with HTML payloads; account expiry notifications are affected but not exploitable since the feature is disabled by default and input is not user-controlled.
Summary generated and translated by AI from the official description.
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. This is fixed in version 1.27.0.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
Affected products
matrix-org · synapseWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73dfhttps://github.com/matrix-org/synapse/pull/9200https://github.com/matrix-org/synapse/releases/tag/v1.27.0https://github.com/matrix-org/synapse/security/advisories/GHSA-c5f8-35qr-q4fmhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/