168 matches found
EUVD-2025-35052
Apache Syncope allows malicious administrators to inject Groovy code...
GHSA-825G-MM5V-GGQ4 Apache Syncope allows malicious administrators to inject Groovy code
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machine...
Apache Syncope allows malicious administrators to inject Groovy code
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machine...
CVE-2025-57738
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machine...
CVE-2025-57738
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machine...
CVE-2025-57738 Apache Syncope: Remote Code Execution by delegated administrators
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machine...
CVE-2025-57738 Apache Syncope: Remote Code Execution by delegated administrators
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machine...
CVE-2025-57738
CVE-2025-57738 affects Apache Syncope where Groovy-based extensions can be injected by a privileged administrator to execute code remotely. The cited advisories describe that Groovy code execution arises from runtime-loaded Groovy implementations, enabling remote execution within a running Syncop...
Apache Syncope 安全漏洞
Apache Syncope is an open source digital identity management system from the Apache USA Foundation for use in enterprise environments. The system supports identity management, role configuration, and more. A security vulnerability exists in Apache Syncope versions 3.0.14 and 4.0.2, which stems fr...
EUVD-2021-1261
Malware in sbrugna...
EUVD-2021-1367
Malware in sbrugna...
EUVD-2021-1411
Malware in sbrugna...
EUVD-2022-0485
Malicious code in bioql PyPI...
EUVD-2022-2354
Malicious code in bioql PyPI...
EUVD-2022-5072
Malicious code in bioql PyPI...
PT-2025-42765
Name of the Vulnerable Software and Affected Versions Apache Syncope versions 3.0.0 through 3.0.13 Apache Syncope versions 4.0.0 through 4.0.1 Description Apache Syncope allows a malicious administrator to inject Groovy code that can be executed remotely by a running Apache Syncope Core instance...
CVE-2020-1959
A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution RCE vulnerability. Apache Syncope uses Java Bean Validation JSR 380 custom constraint validators. When...
CVE-2020-1961
Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution RCE was discovered...
CVE-2020-11977
In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution...
CVE-2019-17557
It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string...