Bugzilla – Bug 1184872
VUL-0: CVE-2021-21333: matrix-synapse: HTML injection in email and account expiry notifications
Last modified: 2021-04-16 13:15:01 UTC
In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. This is fixed in version 1.27.0.