CVE-2020-26891

Name of the Vulnerable Software and Affected Versions Matrix Synapse versions prior to 1.21.0

Description The issue is due to unsafe interpolation of the session GET parameter in the AuthRestServlet, allowing a remote attacker to execute a cross-site scripting (XSS) attack. This can be done by supplying a victim user with a malicious URL to the "/ matrix/client/r0/auth//fallback/web" or "/ matrix/client/unstable/auth//fallback/web" Synapse endpoints. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains.

Recommendations For Matrix Synapse versions prior to 1.21.0, update to version 1.21.0 or later to fix the issue. As a temporary workaround, consider blocking the affected endpoints at a reverse proxy: