matrix_synapse is vulnerable to cross-site scripting (XSS). A attacker is able to inject and execute arbitrary Javascript in a user’s browser via the reCAPTCHA, consent (terms of service), or single sign-on functions.
github.com/advisories/GHSA-3x8c-fmpc-5rmq
github.com/matrix-org/synapse/pull/8444
github.com/matrix-org/synapse/releases
github.com/matrix-org/synapse/releases/tag/v1.21.2
github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq
matrix.org/blog/2020/10/15/synapse-1-21-2-released-and-security-advisory