CVE-2021-21332

MEDIUM6.9EPSS 0.51%

Cross-site scripting (XSS) vulnerability in the password reset endpoint

Published: 3/26/2021Modified: 3/13/2026
Also known as:GHSA-246w-56m2-5899PYSEC-2021-133

Description

### Impact The password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains. ### Patches This is fixed in #9200. ### Workarounds Depending on the needs and configuration of the homeserver a few options are available: 1. Password resets can be disabled by delegating email to a third-party service (via the `account_threepid_delegates.email` setting) or disabling email (by not configuring the `email` setting). 2. If the homeserver is not configured to use passwords (via the `password_config.enabled` setting) then the affected endpoint can be blocked at a reverse proxy: * `/_synapse/client/password_reset/email/submit_token` 3. The `password_reset_confirmation.html` template can be overridden with a custom template that manually escapes the variables using [JInja2's `escape` filter](https://jinja.palletsprojects.com/en/2.11.x/templates/#escape). See the `email.template_dir` setting.

Affected packages (3)

CVSS scores

SourceVersionSeverityVector
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
osvCVSS 3.1MEDIUM6.9CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

References (9)