Bug 1906330 (CVE-2020-26891) - CVE-2020-26891 matrix-synapse: Cross-site scripting (XSS) vulnerability in the fallback authentication endpoint
Summary: CVE-2020-26891 matrix-synapse: Cross-site scripting (XSS) vulnerability in th...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2020-26891
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1840452 1906331
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-12-10 09:47 UTC by Michael Kaplan
Modified: 2021-02-16 18:45 UTC (History)
1 user (show)

Fixed In Version: matrix-synapse 1.21.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-12-10 12:47:04 UTC
Embargoed:


Attachments (Terms of Use)

Description Michael Kaplan 2020-12-10 09:47:16 UTC
AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS due to unsafe interpolation of the session GET parameter. This allows a remote attacker to execute an XSS attack on the domain Synapse is hosted on, by supplying the victim user with a malicious URL to the /_matrix/client/r0/auth/*/fallback/web or /_matrix/client/unstable/auth/*/fallback/web Synapse endpoints.

External References:

https://github.com/matrix-org/synapse/pull/8444
https://github.com/matrix-org/synapse/releases/tag/v1.21.2
https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq
https://matrix.org/blog/2020/10/15/synapse-1-21-2-released-and-security-advisory

Comment 1 Michael Kaplan 2020-12-10 09:47:33 UTC
Created matrix-synapse tracking bugs for this issue:

Affects: fedora-all [bug 1906331]

Comment 2 Product Security DevOps Team 2020-12-10 12:47:04 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.