235 matches found
CVE-2020-1961
Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution RCE was discovered...
CVE-2020-11977
In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution...
CVE-2019-17557
It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string...
Cross-Site Scripting (XSS)
Apache Syncope is vulnerable to Cross-site scripting XSS. The vulnerability is due to improper handling of HTML sanitization in the Syncope Console, which allows incomplete HTML tags to go unchecked and permits the injection of stored XSS payloads that can affect other users within the applicatio...
org.apache.syncope.ext.camel:syncope-ext-camel-client-console (>=2.1.0 <=2.1.14), org.apache.syncope.ext.flowable:syncope-ext-flowable-client-console (>=2.1.10 <=2.1.14) +3 more potentially affected by CVE-2024-45031 via org.apache.syncope.client:syncope-client-console (>=2.1.0 <=2.1.14)
org.apache.syncope.client:syncope-client-console MAVEN version =2.1.0, =2.1.0, =2.1.10, =2.1.0, =2.1.0, =2.1.0, =2.1.14 Source cves: CVE-2024-45031 Source advisory: OSV:GHSA-JMRF-85G8-X8XV...
GHSA-JMRF-85G8-X8XV Apache Syncope: Stored XSS in Console and Enduser
When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...
Apache Syncope: Stored XSS in Console and Enduser
When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...
CVE-2024-45031
When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...
CVE-2024-45031 Apache Syncope: Stored XSS in Console and Enduser
When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...
CVE-2024-45031 Apache Syncope: Stored XSS in Console and Enduser
When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...
CVE-2024-45031 Apache Syncope: Stored XSS in Console and Enduser
When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...
CVE-2024-45031
Apache Syncope is affected by a Stored XSS vulnerability (CVE-2024-45031) due to incomplete HTML sanitization when editing objects in the Syncope Console and Enduser interfaces. This can allow injection of XSS payloads that trigger for other users during normal usage and could lead to session hij...
Apache Syncope 跨站脚本漏洞
Apache Syncope is an open source digital identity management system from the Apache USA Foundation for use in enterprise environments. The system supports identity management, role configuration, and more. A cross-site scripting vulnerability exists in Apache Syncope versions 2.1.X through 2.1.14...
PT-2024-31384
Name of the Vulnerable Software and Affected Versions: Syncope versions prior to 3.0.9 Description: The issue allows an attacker to bypass HTML sanitization by using incomplete HTML tags when editing objects in the Syncope Console. This enables the injection of stored XSS payloads, which can...
Apache Syncope Input Validation Error Vulnerability
Apache Syncope is the United States Apache Apache Foundation's set of open source digital identity management system for use in enterprise environments. The system supports identity management, role configuration and more. Apache Syncope suffers from an input validation error vulnerability that c...
HTML Injection
Apache Syncope is vulnerable to HTML injection. The vulnerability is due to improper input validation, allowing HTML tags to be added to any text field, leading to potential injections. Attackers can use this to inject malicious HTML or scripts, which could compromise user data and application...
org.apache.syncope.client.am:syncope-client-am-console (>=3.0.0 <=3.0.16), org.apache.syncope.client.am:syncope-client-am-enduser (>=3.0.12 <=3.0.16) +14 more potentially affected by CVE-2024-38503 via org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui (>=3.0.0-M0 <=3.0.7)
org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui MAVEN version =3.0.0-M0, =3.0.0, =3.0.12, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.16 - org.apache.syncope.ext.saml2sp4ui:syncope-ext-saml2sp4ui-client-consol...
org.apache.syncope.client.am:syncope-client-am-console (>=3.0.0 <=3.0.16), org.apache.syncope.client.idm:syncope-client-idm-console (>=3.0.0 <=3.0.16) +5 more potentially affected by CVE-2024-38503 via org.apache.syncope.client.idrepo:syncope-client-idrepo-console (>=3.0.0-M0 <=3.0.7)
org.apache.syncope.client.idrepo:syncope-client-idrepo-console MAVEN version =3.0.0-M0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.16 Source cves: CVE-2024-38503 Source advisory: OSV:GHSA-8PXV-X6JQ-5VW9...
GHSA-8PXV-X6JQ-5VW9 Apache Syncope Improper Input Validation vulnerability
When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing "Personal Information" or "User Requests". Users are recommended to upgrade to...
Apache Syncope Improper Input Validation vulnerability
When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing "Personal Information" or "User Requests". Users are recommended to upgrade to...