43 matches found
Cross-site Scripting
Apache Syncope Enduser is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient sanitization of user-controlled input on the Enduser Login page, allowing attackers to inject malicious scripts via crafted links, which can execute in the victimβs browser and potentially...
CVE-2026-23794
Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Enduser Login page. An attacker can access sensitive user credentials by tricking a legitimate user into clicking a malicious link and logging in. Details Cross-site scripting or XSS is a code...
org.apache.syncope.client.am:syncope-client-am-console (>=3.0.0 <=3.0.15), org.apache.syncope.client.am:syncope-client-am-enduser (>=3.0.12 <=3.0.15) +13 more potentially affected by CVE-2026-23794 via org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui (>=3.0.0 <=3.0.15)
org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui MAVEN version =3.0.0, =3.0.0, =3.0.12, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.15 - org.apache.syncope.ext.saml2sp4ui:syncope-ext-saml2sp4...
GHSA-V84M-GFW5-HM2W Apache Syncope: Reflected XSS on Enduser Login
Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are...
org.apache.syncope.client.am:syncope-client-am-console (>=3.0.0 <=3.0.15), org.apache.syncope.client.am:syncope-client-am-enduser (>=3.0.12 <=3.0.15) +14 more potentially affected by CVE-2026-23794 via org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui (>=3.0.0-M0 <=3.0.15)
org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui MAVEN version =3.0.0-M0, =3.0.0, =3.0.12, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.15 - org.apache.syncope.ext.saml2sp4ui:syncope-ext-saml2sp4ui-client-conso...
Apache Syncope: Reflected XSS on Enduser Login
Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are...
CVE-2026-23794
Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are...
CVE-2026-23794
Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are...
CVE-2026-23794
Summary: CVE-2026-23794 is a reflected XSS affecting Apache Syncope Enduser Login page. A attacker can lure a user to click a crafted link and, upon login, potentially steal credentials. Affected versions: 3.0β3.0.15 and 4.0β4.0.3. Remediation: upgrade to 3.0.16 or 4.0.4 (or later). The CVSS v3.1...
CVE-2026-23794 Apache Syncope: Reflected XSS on Enduser Login
Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are...
EUVD-2026-5265
Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are...
CVE-2026-23794
Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are...
CVE-2026-23794 Apache Syncope: Reflected XSS on Enduser Login
Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are...
PT-2026-6483
Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are...
Apache Syncope θ·¨η«θζ¬ζΌζ΄
Apache Syncope is the United States Apache Apache Foundation's set of open source digital identity management system for use in enterprise environments. The system supports identity management, role configuration and more. Apache Syncope suffers from a cross-site scripting vulnerability that stem...
PT-2026-6183
Name of the Vulnerable Software and Affected Versions Apache Syncope versions 3.0 through 3.0.15 Apache Syncope versions 4.0 through 4.0.3 Description A reflected cross-site scripting XSS issue exists in the Enduser Login page of Apache Syncope. An attacker could potentially steal user credential...
EUVD-2022-0485
Malicious code in bioql PyPI...
EUVD-2024-3072
Malicious code in bioql PyPI...
CVE-2019-17557
It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string...