The password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains.
This is fixed in #9200.
Depending on the needs and configuration of the homeserver a few options are available:
Password resets can be disabled by delegating email to a third-party service (via the account_threepid_delegates.email
setting) or disabling email (by not configuring the email
setting).
If the homeserver is not configured to use passwords (via the password_config.enabled
setting) then the affected endpoint can be blocked at a reverse proxy:
/_synapse/client/password_reset/email/submit_token
The password_reset_confirmation.html
template can be overridden with a custom template that manually escapes the variables using JInja2’s escape
filter. See the email.template_dir
setting.
github.com/matrix-org/synapse
github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df
github.com/matrix-org/synapse/pull/9200
github.com/matrix-org/synapse/releases/tag/v1.27.0
github.com/matrix-org/synapse/security/advisories/GHSA-246w-56m2-5899
lists.fedoraproject.org/archives/list/[email protected]/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY
nvd.nist.gov/vuln/detail/CVE-2021-21332