GHSA-mh74-4m5g-fcjx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mh74-4m5g-fcjx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-mh74-4m5g-fcjx/GHSA-mh74-4m5g-fcjx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mh74-4m5g-fcjx
- Aliases
- Related
- Published
- 2021-04-19T14:54:24Z
- Modified
- 2024-09-24T18:21:17.797129Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Malicious users could abuse Sydent to control the content of invitation emails
- Details
-
Impact
A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example.
Patches
Fixed in 4469d1d, 6b405a8, 65a6e91.
Note that these patches include changes to the default email templates. If these templates have been locally modified, they must also be updated.
For more information
If you have any questions or comments about this advisory, email us at security@matrix.org.
- Database specific
{ "nvd_published_at": "2021-04-15T21:15:00Z", "cwe_ids": [ "CWE-20" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-04-15T20:47:15Z" }- References
-
- https://github.com/matrix-org/sydent/security/advisories/GHSA-mh74-4m5g-fcjx
- https://nvd.nist.gov/vuln/detail/CVE-2021-29432
- https://github.com/matrix-org/sydent/commit/4469d1d42b2b1612b70638224c07e19623039c42
- https://github.com/matrix-org/sydent/releases/tag/v2.3.0
- https://github.com/pypa/advisory-database/tree/main/vulns/matrix-sydent/PYSEC-2021-23.yaml
- https://pypi.org/project/matrix-sydent
Affected packages
PyPI / matrix-sydent
Package
- Name
- matrix-sydent
- View open source insights on deps.dev
- Purl
- pkg:pypi/matrix-sydent