Clokep

Name of the Vulnerable Software and Affected Versions: Synapse versions prior to 1.25.0 Description: A malicious homeserver could redirect requests to their .well-known file to a large file, leading to a denial of service attack where homeservers consume significantly more resources when requesting the .well-known file of a malicious homeserver. This affects any server that accepts federation requests from untrusted servers. Recommendations: For Synapse versions prior to 1.25.0, update to version 1.25.0 to resolve the issue. As a temporary workaround, consider using the `federation domain whitelist` setting to restrict the homeservers communicated with over federation.

**Name of the Vulnerable Software and Affected Versions** Synapse versions prior to 1.27.0 **Description** The password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains. **Recommendations** For Synapse versions prior to 1.27.0, update to version 1.27.0 to fix the issue. As a temporary workaround, consider disabling password resets by delegating email to a third-party service via the `account threepid delegates.email` setting or disabling email by not configuring the `email` setting. If the homeserver is not configured to use passwords via the `password config.enabled` setting, then the affected endpoint can be blocked at a reverse proxy: `/ synapse/client/password reset/email/submit token`. The `password reset confirmation.html` template can be overridden with a custom template that manually escapes the variables using Jinja2's `escape` filter, see the `email.template dir` setting.

**Name of the Vulnerable Software and Affected Versions** Synapse versions prior to 1.27.0 **Description** The notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. **Recommendations** For versions prior to 1.27.0, update to version 1.27.0 to resolve the issue. As a temporary workaround, consider overriding the `notif.html`, `notif mail.html`, and `room.html` templates with custom templates that manually escape the variables using Jinja2's `escape` filter for the missed messages notifications. For the account expiry notifications, consider disabling the account expiry feature via the `account validity.enabled` setting or overriding the `notice expiry.html` template with a custom template that manually escapes the variables using Jinja2's `escape` filter.