GHSA-V84M-GFW5-HM2W Apache Syncope: Reflected XSS on Enduser Login

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are...

CVE-2026-23794

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are...

PT-2026-6483

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are...

CVE-2024-45031

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...

CVE-2024-45031 Apache Syncope: Stored XSS in Console and Enduser

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...

GHSA-8PXV-X6JQ-5VW9 Apache Syncope Improper Input Validation vulnerability

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing "Personal Information" or "User Requests". Users are recommended to upgrade to...

CVE-2024-38503

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”. Users are recommended to upgrade to...

PT-2024-28040 · Unknown +1 · Syncope Console +2

Name of the Vulnerable Software and Affected Versions: Syncope versions prior to 3.0.8 Description: The issue allows HTML tags to be added to any text field when editing a user, group, or object in the Syncope Console, potentially leading to exploits. The same vulnerability is found in the Syncop...

org.apache.syncope.ext.flowable:syncope-ext-flowable-client-enduser (>=2.1.3 <=2.1.14), org.apache.syncope.ext.oidcclient:syncope-ext-oidcclient-client-enduser (>=2.1.0 <=2.1.14) +1 more potentially affected by CVE-2019-17557 via org.apache.syncope.client:syncope-client-enduser (>=2.1.0 <=2.1.5)

org.apache.syncope.client:syncope-client-enduser MAVEN version =2.1.0, =2.1.3, =2.1.0, =2.1.0, =2.1.14 Source cves: CVE-2019-17557 Source advisory: OSV:GHSA-6QJ8-C27W-RP33...