26 matches found
CVE-2026-42797
Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope. An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related...
CVE-2026-42797
CVE-2026-42797 (Apache Syncope) exposes a data-query related information disclosure via a misconfigured JEXL expression. An administrator with entitlements for Derived Schemas can craft a malicious JEXL expression that, if the requester also has User-read privileges, may access security-sensitive...
EUVD-2026-31702
Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope. An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related...
PT-2026-43079
Name of the Vulnerable Software and Affected Versions Apache Syncope versions 3.0 through 3.0.16 Apache Syncope versions 4.0 through 4.0.5 Apache Syncope version 4.1.0 Description An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL Java Expression Language...
Apache Syncope Cross-Site Scripting Vulnerability
Apache Syncope is the United States Apache Apache Foundation's set of open source digital identity management system for use in enterprise environments. The system supports identity management, role configuration and more. Apache Syncope suffers from a cross-site scripting vulnerability that stem...
Apache Syncope Code Issue Vulnerability
Apache Syncope is the United States Apache Apache Foundation's set of open source digital identity management system for use in enterprise environments. The system supports identity management, role configuration and more. Apache Syncope there is a code problem vulnerability , the vulnerability...
Apache Syncope: Console XXE on Keymaster parameters
Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. Th...
CVE-2026-23795
CVE-2026-23795 describes an XML External Entity (XXE) vulnerability in the Apache Syncope Console. An administrator with sufficient entitlements to create or edit Keymaster parameters can craft malicious XML text to trigger XXE, potentially leaking sensitive data. Affected versions: Apache Syncop...
Apache Syncope 跨站脚本漏洞
Apache Syncope is the United States Apache Apache Foundation's set of open source digital identity management system for use in enterprise environments. The system supports identity management, role configuration and more. Apache Syncope suffers from a cross-site scripting vulnerability that stem...
PT-2026-6183
Name of the Vulnerable Software and Affected Versions Apache Syncope versions 3.0 through 3.0.15 Apache Syncope versions 4.0 through 4.0.3 Description A reflected cross-site scripting XSS issue exists in the Enduser Login page of Apache Syncope. An attacker could potentially steal user credential...
Cleartext Password Disclosure
Apache Syncope is vulnerable to Cleartext Password Disclosure. The issue arises from use of a hard-coded default AES key when AES-based password storage is enabled, allowing an attacker with access to the internal database to decrypt and recover user passwords...
Apache Syncope Trust Management Issues Vulnerability
Apache Syncope is the United States Apache Apache Foundation's set of open source digital identity management system for use in enterprise environments. The system supports identity management, role configuration and more. Apache Syncope has a trust management issue vulnerability that stems from...
CVE-2025-65998
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained...
CVE-2025-65998 Apache Syncope: Default AES key used for internal password encryption
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained...
EUVD-2025-35052
Apache Syncope allows malicious administrators to inject Groovy code...
Apache Syncope 安全漏洞
Apache Syncope is an open source digital identity management system from the Apache USA Foundation for use in enterprise environments. The system supports identity management, role configuration, and more. A security vulnerability exists in Apache Syncope versions 3.0.14 and 4.0.2, which stems fr...
Apache Syncope 跨站脚本漏洞
Apache Syncope is an open source digital identity management system from the Apache USA Foundation for use in enterprise environments. The system supports identity management, role configuration, and more. A cross-site scripting vulnerability exists in Apache Syncope versions 2.1.X through 2.1.14...
GHSA-6QJ8-C27W-RP33 Cross-site scripting in Apache Syncome EndUser
It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string...
Apache Syncope Remote Code Execution Vulnerability (CNVD-2020-52391)
Apache Syncope is the United States Apache Apache Foundation's set of open source digital identity management system for use in enterprise environments. The system supports identity management, role configuration and more. A security vulnerability exists in Apache Syncope 2.1.x prior to 2.1.7. An...
Apache Syncope Injection Vulnerability
Apache Syncope is the United States Apache Apache Foundation's set of open source digital identity management system for use in enterprise environments. The system supports identity management, role configuration and more. An injection vulnerability exists in Apache Syncope versions 2.0.X prior t...