Matrix: Security Vulnerabilities
In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-06-14
The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly.
CVSS Score
7.5
EPSS Score
0.002
Published
2018-06-13
Matrix Synapse before 0.28.1 is prone to a denial of service flaw where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py, as exploited in the wild in April 2018.
CVSS Score
7.5
EPSS Score
0.004
Published
2018-05-02
Matrix FTP Server allows remote attackers to cause a denial of service (crash) by logging in using four spaces as the username and password and then issuing a LIST command.
CVSS Score
5.0
EPSS Score
0.008
Published
2004-02-06
Page 8