CVE-2021-21332

MEDIUM6.9EPSS 0.51%

Cross-site scripting (XSS) vulnerability in the password reset endpoint

發布日:2021/3/26修改日:2026/3/13
也稱為:GHSA-246w-56m2-5899PYSEC-2021-133

描述

### Impact The password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains. ### Patches This is fixed in #9200. ### Workarounds Depending on the needs and configuration of the homeserver a few options are available: 1. Password resets can be disabled by delegating email to a third-party service (via the `account_threepid_delegates.email` setting) or disabling email (by not configuring the `email` setting). 2. If the homeserver is not configured to use passwords (via the `password_config.enabled` setting) then the affected endpoint can be blocked at a reverse proxy: * `/_synapse/client/password_reset/email/submit_token` 3. The `password_reset_confirmation.html` template can be overridden with a custom template that manually escapes the variables using [JInja2's `escape` filter](https://jinja.palletsprojects.com/en/2.11.x/templates/#escape). See the `email.template_dir` setting.

受影響套件(3)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
osvCVSS 3.1MEDIUM6.9CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

參考連結(9)