Apache Syncope 跨站脚本漏洞

Apache Syncope is the United States Apache Apache Foundation's set of open source digital identity management system for use in enterprise environments. The system supports identity management, role configuration and more. Apache Syncope suffers from a cross-site scripting vulnerability that stem...

PT-2026-6184

Name of the Vulnerable Software and Affected Versions Apache Syncope versions 3.0 through 3.0.15 Apache Syncope versions 4.0 through 4.0.3 Description An issue exists in Apache Syncope Console where an administrator with sufficient privileges to create or edit Keymaster parameters can construct...

PT-2026-6183

Name of the Vulnerable Software and Affected Versions Apache Syncope versions 3.0 through 3.0.15 Apache Syncope versions 4.0 through 4.0.3 Description A reflected cross-site scripting XSS issue exists in the Enduser Login page of Apache Syncope. An attacker could potentially steal user credential...

Cleartext Password Disclosure

Apache Syncope is vulnerable to Cleartext Password Disclosure. The issue arises from use of a hard-coded default AES key when AES-based password storage is enabled, allowing an attacker with access to the internal database to decrypt and recover user passwords...

Remote Code Execution (RCE)

Apache Syncope is vulnerable to Remote Code Execution RCE. The vulnerability is due to unsafe handling of custom Groovy implementations, where a malicious administrator can inject Groovy code that is executed by the Syncope Core at runtime, enabling remote code execution until sandboxing is...

Apache Syncope Trust Management Issues Vulnerability

Apache Syncope is the United States Apache Apache Foundation's set of open source digital identity management system for use in enterprise environments. The system supports identity management, role configuration and more. Apache Syncope has a trust management issue vulnerability that stems from...

CVE-2025-65998

Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained...

EUVD-2025-198717

Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained...

GHSA-JQG8-M35Q-JH7J Apache Syncope's AES encryption stores hard-coded passwords in internal database

Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained...

Apache Syncope's AES encryption stores hard-coded passwords in internal database

Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained...

org.apache.syncope.core.am:syncope-core-am-logic (>=4.0.0 <=4.0.2), org.apache.syncope.core.am:syncope-core-am-rest-cxf (>=4.0.0 <=4.0.2) +18 more potentially affected by CVE-2025-65998 via org.apache.syncope.core:syncope-core-provisioning-java (>=4.0.0-M0 <=4.0.2)

org.apache.syncope.core:syncope-core-provisioning-java MAVEN version =4.0.0-M0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.2 and more Source cves: CVE-2...

org.apache.syncope.core:syncope-core-self-keymaster-starter (>=3.0.0 <=3.0.14) potentially affected by CVE-2025-65998 via org.apache.syncope.core:syncope-core-starter (>=3.0.0-M0 <=3.0.14)

org.apache.syncope.core:syncope-core-starter MAVEN version =3.0.0-M0, =3.0.0, =3.0.14 Source cves: CVE-2025-65998 Source advisory: SNYK:JAVA-ORGAPACHESYNCOPECORE-14105145...

CVE-2025-65998

Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained...

CVE-2025-65998 Apache Syncope: Default AES key used for internal password encryption

Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained...

CVE-2025-65998

CVE-2025-65998 affects Apache Syncope where storing user passwords in the internal database with AES can expose cleartext passwords if the AES key is hard-coded in the source. The issue occurs when the AES option is enabled; the default key value is always used, enabling an attacker with internal...

CVE-2025-65998 Apache Syncope: Default AES key used for internal password encryption

Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained...

Apache Syncope 安全漏洞

Apache Syncope is the United States Apache Apache Foundation's set of open source digital identity management system for use in enterprise environments. The system supports identity management, role configuration and more. Apache Syncope has a trust management issue vulnerability that stems from...

PT-2025-47918

Name of the Vulnerable Software and Affected Versions Apache Syncope versions prior to 3.0.15 Apache Syncope versions prior to 4.0.3 Description Apache Syncope, when configured to use AES encryption for storing user passwords in its internal database, utilizes a hard-coded default key. This allow...

org.apache.syncope.core.am:syncope-core-am-logic (>=4.0.0 <=4.0.1), org.apache.syncope.core.am:syncope-core-am-rest-cxf (>=4.0.0 <=4.0.1) +17 more potentially affected by CVE-2025-57738 via org.apache.syncope.core:syncope-core-provisioning-java (>=4.0.0 <=4.0.1)

org.apache.syncope.core:syncope-core-provisioning-java MAVEN version =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.1 and mo...

org.apache.syncope.core.am:syncope-core-am-logic (>=3.0.0 <=3.0.13), org.apache.syncope.core.am:syncope-core-am-rest-cxf (>=3.0.0 <=3.0.13) +38 more potentially affected by CVE-2025-57738 via org.apache.syncope.core:syncope-core-persistence-api (>=3.0.0-M0 <=3.0.13)

org.apache.syncope.core:syncope-core-persistence-api MAVEN version =3.0.0-M0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.13 and more Source cves: CVE-2025-57738 Source ad...