Remote code execution

A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution RCE vulnerability. Apache Syncope uses Java Bean Validation JSR 380 custom constraint validators. When...

Design/Logic Flaw

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution RCE was discovered...

CVE-2020-1961

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution RCE was discovered...

CVE-2020-1961

The CVE-2020-1961 vulnerability affects Apache Syncope: Server-Side Template Injection in Mail templates via JEXL, enabling Remote Code Execution. Affected versions are 2.0.x before 2.0.15 and 2.1.x before 2.1.6. Remediation is to apply the patched releases (2.0.15 and 2.1.6) or equivalent fixes;...

CVE-2019-17557

It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string...

CVE-2020-1959

CVE-2020-1959 affects Apache Syncope prior to 2.1.6. The vulnerability is a Server-Side Template Injection in Java EL interpolation used in Java Bean Validation custom constraint violation messages. An attacker could inject arbitrary Java EL expressions via error message templates, resulting in u...

CVE-2020-1959

A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution RCE vulnerability. Apache Syncope uses Java Bean Validation JSR 380 custom constraint validators. When...

The vulnerability of the XSLT (Extensible Stylesheet Language Transformations) implementation of the Apache Syncope system allows a attacker to read the file, write to the file, or execute arbitrary code.

The vulnerability of the XSLT Extensible Stylesheet Language Transformations implementation of the Apache Syncope system’s digital identifier management mechanism is related to insufficient validation of input data. Exploiting this vulnerability allows an attacker to read files, write files, or...

XML External Entity (XXE)

apache syncope is vulnerable to XML external entity attacks XXE. An attacker is able to read and write arbitrary files and execute arbitrary code using malicious DTDs in the workflow definition entitlements...

Apache Syncope XML External Entity Injection Vulnerability

Apache Syncope is an open source system for managing digital identities in enterprise environments, implemented using Java EE technology and released under the Apache 2.0 license. Apache Syncope suffers from an XML external entity injection vulnerability. An administrator with workflow definition...

Apache Syncope Cross-Site Scripting Vulnerability

Apache Syncope is an open source system for managing digital identities in enterprise environments, implemented using Java EE technology and released under the Apache 2.0 license. A stored cross-site scripting vulnerability exists in Apache Syncope. A malicious user with sufficient administrative...

High severity vulnerability that affects org.apache.syncope:syncope-core

An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11 and 2.0.x before 2.0.8 can use XSL Transformations XSLT to perform malicious operations, including but not limited to file read, file write, and code execution...

GHSA-XGC9-9W4V-H33H High severity vulnerability that affects org.apache.syncope:syncope-core

An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11 and 2.0.x before 2.0.8 can use XSL Transformations XSLT to perform malicious operations, including but not limited to file read, file write, and code execution...

GHSA-V3VF-2R98-XW8W Exposure of Sensitive Information to an Unauthorized Actor in Apache syncope-cope

An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11 and 2.0.x before 2.0.8 can recover sensitive security values using the fiql and orderby parameters...

Exposure of Sensitive Information to an Unauthorized Actor in Apache syncope-cope

An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11 and 2.0.x before 2.0.8 can recover sensitive security values using the fiql and orderby parameters...

GHSA-9H9C-F287-C6VP Improper Control of Interaction Frequency in Apache syncope-core

A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admi...

Improper Restriction of XML External Entity Reference in org.apache.syncope:syncope-core

An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution...

GHSA-QFJV-998W-Q48F Improper Restriction of XML External Entity Reference in org.apache.syncope:syncope-core

An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution...

Apache Syncope 2.0.7 Remote Code Execution

Exploit Title: Apache Syncope 2.0.7 - Remote Code Execution Date: 2018-09-12 Exploit Author: Che-Chun Kuo Vendor Homepage: https://syncope.apache.org/ Software Link: http://archive.apache.org/dist/syncope/ Version: 2.0.7 Tested on: Windows Advisory: https://syncope.apache.org/security CVE:...

Apache Syncope Remote Code Execution Vulnerability (CNVD-2018-18784)

Apache Syncope is the United States Apache Apache Software Foundation's set of open source digital identity management system for use in enterprise environments. The system supports identity management, role configuration and more. Apache Syncope uses XSLT to export report data to various formats...