CVE-2021-21333

Name of the Vulnerable Software and Affected Versions Synapse versions prior to 1.27.0

Description The notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker.

Recommendations For versions prior to 1.27.0, update to version 1.27.0 to resolve the issue. As a temporary workaround, consider overriding the notif.html, notif mail.html, and room.html templates with custom templates that manually escape the variables using Jinja2's escape filter for the missed messages notifications. For the account expiry notifications, consider disabling the account expiry feature via the account validity.enabled setting or overriding the notice expiry.html template with a custom template that manually escapes the variables using Jinja2's escape filter.