XML External Entity (XXE) Injection

Apache Syncope Console is vulnerable to XML External Entity XXE injection. The vulnerability is due to improper restriction of external entity references in XML processing, where an authenticated administrator can submit malicious XML in Keymaster parameters via the Console, leading to sensitive...

CVE-2026-23795

Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. Th...

org.apache.syncope.client.am:syncope-client-am-console (>=3.0.0 <=3.0.15), org.apache.syncope.client.idm:syncope-client-idm-console (>=3.0.0 <=3.0.15) +5 more potentially affected by CVE-2026-23795 via org.apache.syncope.client.idrepo:syncope-client-idrepo-console (>=3.0.0-M0 <=3.0.15)

org.apache.syncope.client.idrepo:syncope-client-idrepo-console MAVEN version =3.0.0-M0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.15 Source cves: CVE-2026-23795 Source advisory: SNYK:JAVA-ORGAPACHESYNCOPECLIENTIDREPO-15202477...

org.apache.syncope.client.am:syncope-client-am-console (>=4.0.0 <=4.0.3), org.apache.syncope.client.idm:syncope-client-idm-console (>=4.0.0 <=4.0.3) +4 more potentially affected by CVE-2026-23795 via org.apache.syncope.client.idrepo:syncope-client-idrepo-console (>=4.0.0 <=4.0.3)

org.apache.syncope.client.idrepo:syncope-client-idrepo-console MAVEN version =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.3 Source cves: CVE-2026-23795 Source advisory: OSV:GHSA-73F3-RQQF-2J54...

GHSA-73F3-RQQF-2J54 Apache Syncope: Console XXE on Keymaster parameters

Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. Th...

EUVD-2026-5267

Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. Th...

EUVD-2024-3072

Malicious code in bioql PyPI...

CVE-2024-45031

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...

CVE-2024-45031

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...

CVE-2024-45031

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...

CVE-2024-45031

Apache Syncope is affected by a Stored XSS vulnerability (CVE-2024-45031) due to incomplete HTML sanitization when editing objects in the Syncope Console and Enduser interfaces. This can allow injection of XSS payloads that trigger for other users during normal usage and could lead to session hij...

CVE-2024-45031 Apache Syncope: Stored XSS in Console and Enduser

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...

GHSA-8PXV-X6JQ-5VW9 Apache Syncope Improper Input Validation vulnerability

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing "Personal Information" or "User Requests". Users are recommended to upgrade to...

CVE-2024-38503

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”. Users are recommended to upgrade to...

PT-2024-28040 · Unknown +1 · Syncope Console +2

Name of the Vulnerable Software and Affected Versions: Syncope versions prior to 3.0.8 Description: The issue allows HTML tags to be added to any text field when editing a user, group, or object in the Syncope Console, potentially leading to exploits. The same vulnerability is found in the Syncop...