PT-2023-28352 · Synapse+3 · Synapse+3
Lowerikjohnston
·
Publicado
2023-09-26
·
Atualizado
2025-04-22
·
CVE-2023-42453
CVSS v4.0
6.3
Média
| Vetor | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Synapse versions prior to 1.93.0
Description
The issue allows users to forge read receipts for any event if they know the room ID and event ID. Although users cannot view the events, they can mark them as read, potentially causing confusion as clients will display the event as read by the user, even if they are not in the room.
Recommendations
For versions prior to 1.93.0, upgrade to version 1.93.0 or later to resolve the issue.
As a temporary workaround, consider restricting access to the read receipt functionality until a patch is applied.
Note that there are no known workarounds for this issue, and upgrading to the patched version is the recommended course of action.
Exploit
Correção
Improper Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Alt Linux
Linuxmint
Synapse
Ubuntu