An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11 and 2.0.x before 2.0.8 can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution.
syncope.apache.org/security.html#CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements
www.securityfocus.com/bid/103508
github.com/advisories/GHSA-xgc9-9w4v-h33h
github.com/apache/syncope/commit/726231fbf7b817bd2a9467171dcb1c0087c75bc
github.com/apache/syncope/commit/ad31479c1c543ac7d26b8c882aa14f6c00c1fd0
nvd.nist.gov/vuln/detail/CVE-2018-1321
www.exploit-db.com/exploits/45400