6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
matrix_synapse is vulnerable to cross-site scripting (XSS). A attacker is able to inject and execute arbitrary Javascript in a user’s browser via the reCAPTCHA, consent (terms of service), or single sign-on functions.
CPE | Name | Operator | Version |
---|---|---|---|
matrix-synapse | le | 1.21.0rc1 | |
synapse:edge | eq | 1.11.1-r0 | |
synapse:edge | eq | 1.14.0-r0 | |
synapse:edge | eq | 1.12.3-r0 | |
synapse:edge | eq | 1.12.0-r0 | |
synapse:edge | eq | 1.12.4-r0 |
github.com/advisories/GHSA-3x8c-fmpc-5rmq
github.com/matrix-org/synapse/pull/8444
github.com/matrix-org/synapse/releases
github.com/matrix-org/synapse/releases/tag/v1.21.2
github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq
matrix.org/blog/2020/10/15/synapse-1-21-2-released-and-security-advisory
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N