Описание
Cross-site scripting (XSS) vulnerability in the password reset endpoint
Impact
The password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains.
Patches
This is fixed in #9200.
Workarounds
Depending on the needs and configuration of the homeserver a few options are available:
-
Password resets can be disabled by delegating email to a third-party service (via the
account_threepid_delegates.emailsetting) or disabling email (by not configuring theemailsetting). -
If the homeserver is not configured to use passwords (via the
password_config.enabledsetting) then the affected endpoint can be blocked at a reverse proxy:/_synapse/client/password_reset/email/submit_token
-
The
password_reset_confirmation.htmltemplate can be overridden with a custom template that manually escapes the variables using JInja2'sescapefilter. See theemail.template_dirsetting.
Ссылки
- https://github.com/matrix-org/synapse/security/advisories/GHSA-246w-56m2-5899
- https://nvd.nist.gov/vuln/detail/CVE-2021-21332
- https://github.com/matrix-org/synapse/pull/9200
- https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df
- https://github.com/matrix-org/synapse/releases/tag/v1.27.0
- https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-133.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY
Пакеты
matrix-synapse
< 1.27.0
1.27.0
Связанные уязвимости
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains. This is fixed in version 1.27.0.
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains. This is fixed in version 1.27.0.
Synapse is a Matrix reference homeserver written in python (pypi packa ...