6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
21.0%
matrix-appservice-bridge is vulnerable to Improper Authentication. The vulnerability exists in postExchangeOpenId
function at api.ts
because it does not reject foreign users in OpenID responses which allows an attacker to perform unauthorized actions as the spoofed user.