Lucene search
K

235 matches found

RedhatCVE
RedhatCVE
added 2025/05/22 4:28 p.m.13 views

CVE-2020-1961

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution RCE was discovered...

9.8CVSS7.8AI score0.04645EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/22 3:11 p.m.7 views

CVE-2020-11977

In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution...

8.5CVSS7AI score0.02835EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 8:20 a.m.10 views

CVE-2019-17557

It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string...

5.4CVSS7.1AI score0.0122EPSS
Exploits0References1
Veracode
Veracode
added 2024/11/04 5:37 a.m.11 views

Cross-Site Scripting (XSS)

Apache Syncope is vulnerable to Cross-site scripting XSS. The vulnerability is due to improper handling of HTML sanitization in the Syncope Console, which allows incomplete HTML tags to go unchecked and permits the injection of stored XSS payloads that can affect other users within the applicatio...

6.1CVSS5.6AI score0.0061EPSS
Exploits0References5Affected Software2
vulnersOsv
vulnersOsv
added 2024/10/24 3:31 p.m.8 views

org.apache.syncope.ext.camel:syncope-ext-camel-client-console (>=2.1.0 <=2.1.14), org.apache.syncope.ext.flowable:syncope-ext-flowable-client-console (>=2.1.10 <=2.1.14) +3 more potentially affected by CVE-2024-45031 via org.apache.syncope.client:syncope-client-console (>=2.1.0 <=2.1.14)

org.apache.syncope.client:syncope-client-console MAVEN version =2.1.0, =2.1.0, =2.1.10, =2.1.0, =2.1.0, =2.1.0, =2.1.14 Source cves: CVE-2024-45031 Source advisory: OSV:GHSA-JMRF-85G8-X8XV...

6.1CVSS5.8AI score0.0061EPSS
Exploits0
OSV
OSV
added 2024/10/24 3:31 p.m.8 views

GHSA-JMRF-85G8-X8XV Apache Syncope: Stored XSS in Console and Enduser

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...

6.1CVSS5.8AI score0.0061EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2024/10/24 3:31 p.m.21 views

Apache Syncope: Stored XSS in Console and Enduser

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...

6.1CVSS5.8AI score0.0061EPSS
Exploits0References7Affected Software1
NVD
NVD
added 2024/10/24 3:15 p.m.44 views

CVE-2024-45031

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...

6.1CVSS0.0061EPSS
Exploits0References2
Cvelist
Cvelist
added 2024/10/24 2:21 p.m.49 views

CVE-2024-45031 Apache Syncope: Stored XSS in Console and Enduser

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...

0.0061EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2024/10/24 2:21 p.m.16 views

CVE-2024-45031 Apache Syncope: Stored XSS in Console and Enduser

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...

5.9AI score0.0061EPSS
Exploits0References1
OSV
OSV
added 2024/10/24 2:21 p.m.3 views

CVE-2024-45031 Apache Syncope: Stored XSS in Console and Enduser

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...

6.1CVSS5.9AI score0.0061EPSS
Exploits0References4
CVE
CVE
added 2024/10/24 2:21 p.m.67 views

CVE-2024-45031

Apache Syncope is affected by a Stored XSS vulnerability (CVE-2024-45031) due to incomplete HTML sanitization when editing objects in the Syncope Console and Enduser interfaces. This can allow injection of XSS payloads that trigger for other users during normal usage and could lead to session hij...

6.1CVSS6.1AI score0.0061EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2024/10/24 12:0 a.m.4 views

Apache Syncope 跨站脚本漏洞

Apache Syncope is an open source digital identity management system from the Apache USA Foundation for use in enterprise environments. The system supports identity management, role configuration, and more. A cross-site scripting vulnerability exists in Apache Syncope versions 2.1.X through 2.1.14...

6.1CVSS5.6AI score0.0061EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2024/10/24 12:0 a.m.6 views

PT-2024-31384

Name of the Vulnerable Software and Affected Versions: Syncope versions prior to 3.0.9 Description: The issue allows an attacker to bypass HTML sanitization by using incomplete HTML tags when editing objects in the Syncope Console. This enables the injection of stored XSS payloads, which can...

6.1CVSS5.9AI score0.0061EPSS
Exploits0References14
CNVD
CNVD
added 2024/07/24 12:0 a.m.5 views

Apache Syncope Input Validation Error Vulnerability

Apache Syncope is the United States Apache Apache Foundation's set of open source digital identity management system for use in enterprise environments. The system supports identity management, role configuration and more. Apache Syncope suffers from an input validation error vulnerability that c...

5.4CVSS6.7AI score0.00702EPSS
Exploits0References1
Veracode
Veracode
added 2024/07/23 6:30 a.m.18 views

HTML Injection

Apache Syncope is vulnerable to HTML injection. The vulnerability is due to improper input validation, allowing HTML tags to be added to any text field, leading to potential injections. Attackers can use this to inject malicious HTML or scripts, which could compromise user data and application...

5.4CVSS6.9AI score0.00702EPSS
Exploits0References5Affected Software2
vulnersOsv
vulnersOsv
added 2024/07/22 12:30 p.m.6 views

org.apache.syncope.client.am:syncope-client-am-console (>=3.0.0 <=3.0.16), org.apache.syncope.client.am:syncope-client-am-enduser (>=3.0.12 <=3.0.16) +14 more potentially affected by CVE-2024-38503 via org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui (>=3.0.0-M0 <=3.0.7)

org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui MAVEN version =3.0.0-M0, =3.0.0, =3.0.12, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.16 - org.apache.syncope.ext.saml2sp4ui:syncope-ext-saml2sp4ui-client-consol...

5.4CVSS5.8AI score0.00702EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2024/07/22 12:30 p.m.8 views

org.apache.syncope.client.am:syncope-client-am-console (>=3.0.0 <=3.0.16), org.apache.syncope.client.idm:syncope-client-idm-console (>=3.0.0 <=3.0.16) +5 more potentially affected by CVE-2024-38503 via org.apache.syncope.client.idrepo:syncope-client-idrepo-console (>=3.0.0-M0 <=3.0.7)

org.apache.syncope.client.idrepo:syncope-client-idrepo-console MAVEN version =3.0.0-M0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.16 Source cves: CVE-2024-38503 Source advisory: OSV:GHSA-8PXV-X6JQ-5VW9...

5.4CVSS5.8AI score0.00702EPSS
Exploits0
OSV
OSV
added 2024/07/22 12:30 p.m.8 views

GHSA-8PXV-X6JQ-5VW9 Apache Syncope Improper Input Validation vulnerability

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing "Personal Information" or "User Requests". Users are recommended to upgrade to...

7.1CVSS5.8AI score0.00702EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2024/07/22 12:30 p.m.25 views

Apache Syncope Improper Input Validation vulnerability

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing "Personal Information" or "User Requests". Users are recommended to upgrade to...

5.4CVSS6.8AI score0.00702EPSS
Exploits0References6Affected Software2
Rows per page
Query Builder