FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

py-matrix-synapse -- XSS vulnerability

Affected packages
py36-matrix-synapse < 1.21.0
py37-matrix-synapse < 1.21.0
py38-matrix-synapse < 1.21.0
py39-matrix-synapse < 1.21.0

Details

VuXML ID 5f39d80f-107c-11eb-8b47-641c67a117d8
Discovery 2020-10-01
Entry 2020-10-17

Matrix developers reports:

The fallback authentication endpoint served via Synapse were vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains.

References

CVE Name CVE-2020-26891
FreeBSD PR ports/249948
URL https://github.com/matrix-org/synapse/releases/tag/v1.21.2
URL https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq