Lucene search

[email protected]NVD:CVE-2024-38503

HistoryJul 22, 2024 - 10:15 a.m.

CVE-2024-38503

2024-07-2210:15:08

CWE-79

[email protected]

web.nvd.nist.gov

syncope

html tags

potential exploits

upgrade

version 3.0.8

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

27.3%

JSON

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits.
The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”.

Users are recommended to upgrade to version 3.0.8, which fixes this issue.

Affected configurations

Nvd

Node

apachesyncopeRange2.1.0–2.1.14

apachesyncopeRange3.0.0–3.0.8

VendorProductVersionCPE
apachesyncope*cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	syncope	*	cpe:2.3:a:apache:syncope::::::::

References

syncope.apache.org/security#cve-2024-38503-html-tags-can-be-injected-into-console-or-enduser

www.openwall.com/lists/oss-security/2024/07/22/3