5.7

CVE-2021-29432

Malicious users could control the content of invitation emails

Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. This issue has been fixed in 4469d1d.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MatrixSydent Version < 2.3.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.93% 0.56
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.7 2.1 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
nvd@nist.gov 3.5 6.8 2.9
AV:N/AC:M/Au:S/C:N/I:P/A:N
security-advisories@github.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/matrix-org/sydent/releases/tag/v2.3.0
Third Party Advisory
Release Notes
https://pypi.org/project/matrix-sydent/
Third Party Advisory
Product
https://github.com/matrix-org/sydent/commit/4469d1d42b2b1612b70638224c07e19623039c42
Patch
Third Party Advisory
https://github.com/matrix-org/sydent/security/advisories/GHSA-mh74-4m5g-fcjx
Patch
Third Party Advisory