matrix-synapse is vulnerable to HTML injection. Lack of output sanitization of the notification emails that are sent for notifications for missed messages or for an expiring account allows an attacker to inject and execute arbitrary HTML code in a user’s browser.
github.com/advisories/GHSA-c5f8-35qr-q4fm
github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df
github.com/matrix-org/synapse/pull/9200
github.com/matrix-org/synapse/pull/9200
github.com/matrix-org/synapse/releases/tag/v1.27.0
github.com/matrix-org/synapse/security/advisories/GHSA-c5f8-35qr-q4fm
lists.fedoraproject.org/archives/list/[email protected]/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/
security-tracker.debian.org/tracker/CVE-2021-21333