CVE-2021-21333: 
Python vulnerability analysis and mitigation

Synapse, a Matrix reference homeserver written in Python, contained a vulnerability (CVE-2021-21333) related to HTML injection in email and account expiry notifications. The vulnerability was discovered and fixed in version 1.27.0, released in February 2021 (GitHub Advisory).

The vulnerability allowed HTML injection in two specific notification types: notification emails for missed messages and account expiry notifications. For missed messages notifications, an attacker could potentially insert forged content into the email. The account expiry feature, while also vulnerable to HTML injection, was not enabled by default and the HTML injection was not controllable by an attacker. The issue was related to improper escaping of variables in HTML templates (GitHub Advisory).

The impact of this vulnerability was considered Low severity. In the case of missed message notifications, attackers could potentially inject malicious HTML content into notification emails, potentially leading to phishing or other social engineering attacks. For account expiry notifications, the impact was limited since the feature was not enabled by default and the injection was not attacker-controllable (GitHub Advisory).

The issue was fixed in Synapse version 1.27.0. For users unable to upgrade, several workarounds were available: For missed messages notifications, the notif.html, notifmail.html, and room.html templates could be overridden with custom templates that manually escape variables using Jinja2's escape filter. For account expiry notifications, administrators could either disable account expiry via the accountvalidity.enabled setting or override the notice_expiry.html template with a custom template that properly escapes variables (GitHub Advisory).