CVE-2024-38503

2024-07-2210:15:08

CWE-79

apache

web.nvd.nist.gov

syncope

html tags

potential exploits

version 3.0.8

user requests

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

27.3%

JSON

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits.
The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”.

Users are recommended to upgrade to version 3.0.8, which fixes this issue.

Affected configurations

Nvd

Vulners

Node

apachesyncopeRange2.1.0–2.1.14

apachesyncopeRange3.0.0–3.0.8

VendorProductVersionCPE
apachesyncope*cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	syncope	*	cpe:2.3:a:apache:syncope::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Syncope",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "2.1.14",
        "status": "affected",
        "version": "2.1",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "3.0.7",
        "status": "affected",
        "version": "3.0",
        "versionType": "semver"
      }
    ]
  }
]