Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Cross-site scripting (XSS) vulnerability in the password reset endpoint

Moderate
clokep published GHSA-246w-56m2-5899 Mar 25, 2021

Package

pip matrix-synapse (pip)

Affected versions

< 1.27.0

Patched versions

>= 1.27.0

Description

Impact

The password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains.

Patches

This is fixed in #9200.

Workarounds

Depending on the needs and configuration of the homeserver a few options are available:

  1. Password resets can be disabled by delegating email to a third-party service (via the account_threepid_delegates.email setting) or disabling email (by not configuring the email setting).

  2. If the homeserver is not configured to use passwords (via the password_config.enabled setting) then the affected endpoint can be blocked at a reverse proxy:

    • /_synapse/client/password_reset/email/submit_token
  3. The password_reset_confirmation.html template can be overridden with a custom template that manually escapes the variables using JInja2's escape filter. See the email.template_dir setting.

Severity

Moderate

CVE ID

CVE-2021-21332

Weaknesses

No CWEs