CVE-2020-26891: 
Python vulnerability analysis and mitigation

CVE-2020-26891 is a cross-site scripting (XSS) vulnerability discovered in Matrix Synapse versions before 1.21.0. The vulnerability was found in the AuthRestServlet component, which was susceptible to XSS attacks due to unsafe interpolation of the session GET parameter. The issue was discovered by Denis Kasak and was fixed with the release of Synapse 1.21.0 in October 2020 (Matrix Blog, NVD).

The vulnerability exists in the fallback authentication endpoint of Matrix Synapse. The issue allows a remote attacker to execute an XSS attack on the domain where Synapse is hosted by supplying a victim user with a malicious URL to the /_matrix/client/r0/auth//fallback/web or /_matrix/client/unstable/auth//fallback/web Synapse endpoints. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD, GitHub Advisory).

The impact of this vulnerability depends on the configuration of the domain where Synapse is deployed. Successful exploitation could allow attackers to access cookies and other browser data, create CSRF vulnerabilities, and potentially access resources served on the same domain or parent domains (GitHub Advisory).

The vulnerability was patched in Synapse version 1.21.0. For systems that cannot immediately upgrade, a workaround exists if the homeserver is not configured to use reCAPTCHA, consent (terms of service), or single sign-on. The affected endpoints can be blocked at a reverse proxy: /_matrix/client/r0/auth//fallback/web and /_matrix/client/unstable/auth//fallback/web (GitHub Advisory).