CVE-2019-11340

Name of the Vulnerable Software and Affected Versions Matrix Sydent versions prior to 1.0.2

Description The issue arises from the handling of registration restrictions based on e-mail domain in util/emailutils.py. Specifically, when the allowed local 3pids option is enabled, it can lead to potentially unwanted behavior. This is due to how Python's email.utils.parseaddr function handles certain email addresses. For example, when applied to an address like user@bad.example.net@good.example.com, it returns the user@bad.example.net substring, which may not be the intended outcome.

Recommendations For versions prior to 1.0.2, update to version 1.0.2 or later to resolve the issue. As a temporary workaround, consider disabling the allowed local 3pids option until the update can be applied.