From f60f1eed8a594f2464f079d9bfd21a8bd6186b1a Mon Sep 17 00:00:00 2001 From: "Danilo G. Baio" Date: Sat, 17 Oct 2020 13:50:26 +0000 Subject: security/vuxml: Document net-im/py-matrix-synapse issue PR: 249948 Submitted by: Sascha Biberhofer Security: CVE-2020-26891 --- security/vuxml/vuln.xml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) (limited to 'security') diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 95e9b8adc9e9..60fdda5f1364 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,41 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + py-matrix-synapse -- XSS vulnerability + + + py36-matrix-synapse + py37-matrix-synapse + py38-matrix-synapse + py39-matrix-synapse + 1.21.0 + + + + +

Matrix developers reports:

+
The fallback authentication endpoint served via Synapse were vulnerable + to cross-site scripting (XSS) attacks. The impact depends on the + configuration of the domain that Synapse is deployed on, but may allow + access to cookies and other browser data, CSRF vulnerabilities, and + access to other resources served on the same domain or parent domains.
+

+ + + + CVE-2020-26891 + https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq + https://github.com/matrix-org/synapse/releases/tag/v1.21.2 + ports/249948 + + + 2020-10-01 + 2020-10-16 + + + drupal -- Multiple Vulnerabilities -- cgit v1.2.3