43 matches found
CVE-2019-17557
CVE-2019-17557 describes a reflected XSS in the Apache Syncope EndUser UI login page, before versions 2.0.15 and 2.1.6, where the UI reflects the successMessage parameter in the URL query string, allowing an attacker to execute arbitrary JavaScript in a user’s browser. The issue is caused by insu...
Cross-Site Scripting (XSS)
syncope-client-enduser is vulnerable to cross-site scripting XSS. Lack of sanitization in enduser notifications allow a remote attacker to inject and execute abitrary Javascript in a user's browser via the successMessage...
Cross-site Request Forgery (CSRF)
Apache Fediz is vulnerable to cross-site request forgery CSRF attacks. The attack happens when a client starts the authentication process and does not complete it for example when the IdP is unavailable, leading to a security context set up using a malicious client's roles for the given enduser...