Malicious users could abuse Sydent to control the content of invitation emails
Moderate severity
GitHub Reviewed
Published
Apr 15, 2021
in
matrix-org/sydent
•
Updated Sep 24, 2024
Description
Reviewed
Apr 15, 2021
Published by the National Vulnerability Database
Apr 15, 2021
Published to the GitHub Advisory Database
Apr 19, 2021
Last updated
Sep 24, 2024
Impact
A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example.
Patches
Fixed in 4469d1d, 6b405a8, 65a6e91.
Note that these patches include changes to the default email templates. If these templates have been locally modified, they must also be updated.
For more information
If you have any questions or comments about this advisory, email us at security@matrix.org.
References