Vulnerabilities > Matrix > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-10-19 | CVE-2020-26891 | Cross-site Scripting vulnerability in Matrix Synapse AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS due to unsafe interpolation of the session GET parameter. | 4.3 |
2019-05-09 | CVE-2019-11842 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Matrix Sydent and Synapse An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. | 5.0 |
2019-04-19 | CVE-2019-11340 | Improper Input Validation vulnerability in Matrix Sydent 1.0.0/1.0.1 util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registration restrictions that are based on e-mail domain, if the allowed_local_3pids option is enabled. | 4.3 |
2018-06-14 | CVE-2018-12423 | Unspecified vulnerability in Matrix Synapse In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force. | 5.0 |
2018-06-13 | CVE-2018-12291 | Unspecified vulnerability in Matrix Synapse The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly. | 5.0 |
2018-05-02 | CVE-2018-10657 | Improper Input Validation vulnerability in Matrix Synapse Matrix Synapse before 0.28.1 is prone to a denial of service flaw where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py, as exploited in the wild in April 2018. | 5.0 |
2004-02-06 | CVE-2004-2089 | Matrix FTP Server allows remote attackers to cause a denial of service (crash) by logging in using four spaces as the username and password and then issuing a LIST command. | 5.0 |