CVE-2021-21332

Name of the Vulnerable Software and Affected Versions Synapse versions prior to 1.27.0

Description The password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains.

Recommendations For Synapse versions prior to 1.27.0, update to version 1.27.0 to fix the issue. As a temporary workaround, consider disabling password resets by delegating email to a third-party service via the account threepid delegates.email setting or disabling email by not configuring the email setting. If the homeserver is not configured to use passwords via the password config.enabled setting, then the affected endpoint can be blocked at a reverse proxy: / synapse/client/password reset/email/submit token. The password reset confirmation.html template can be overridden with a custom template that manually escapes the variables using Jinja2's escape filter, see the email.template dir setting.