PT-2023-28352 · Synapse+3 · Synapse+3
Lowerikjohnston
·
Published
2023-09-26
·
Updated
2025-04-22
·
CVE-2023-42453
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Synapse versions prior to 1.93.0
Description
The issue allows users to forge read receipts for any event if they know the room ID and event ID. Although users cannot view the events, they can mark them as read, potentially causing confusion as clients will display the event as read by the user, even if they are not in the room.
Recommendations
For versions prior to 1.93.0, upgrade to version 1.93.0 or later to resolve the issue.
As a temporary workaround, consider restricting access to the read receipt functionality until a patch is applied.
Note that there are no known workarounds for this issue, and upgrading to the patched version is the recommended course of action.
Exploit
Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Linuxmint
Synapse
Ubuntu