Shodan
Vulnerabilities
Vulnerable Software
Matrix:  >> Synapse  >> 0.18.1  Security Vulnerabilities
CVE-2020-26891
AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS due to unsafe interpolation of the session GET parameter. This allows a remote attacker to execute an XSS attack on the domain Synapse is hosted on, by supplying the victim user with a malicious URL to the /_matrix/client/r0/auth/*/fallback/web or /_matrix/client/unstable/auth/*/fallback/web Synapse endpoints.
CVSS Score
6.1
EPSS Score
0.006
Published
2020-10-19
CVE-2019-18835
Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers.
CVSS Score
9.8
EPSS Score
0.002
Published
2019-11-08
CVE-2019-11842
An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.
CVSS Score
7.5
EPSS Score
0.005
Published
2019-05-09
CVE-2019-5885
Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users.
CVSS Score
7.5
EPSS Score
0.008
Published
2019-03-21
CVE-2018-16515
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
CVSS Score
8.8
EPSS Score
0.006
Published
2018-09-18
CVE-2018-12423
In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-06-14
CVE-2018-12291
The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly.
CVSS Score
7.5
EPSS Score
0.002
Published
2018-06-13
CVE-2018-10657
Matrix Synapse before 0.28.1 is prone to a denial of service flaw where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py, as exploited in the wild in April 2018.
CVSS Score
7.5
EPSS Score
0.004
Published
2018-05-02


Products
Pricing
Contact Us

Shodan ® - All rights reserved