Lucene search
K
ApacheSyncope4.0.0

6 matches found

CVE
CVE
β€’added 2025/11/24 1:47 p.m.β€’42 views

CVE-2025-65998

CVE-2025-65998 affects Apache Syncope where storing user passwords in the internal database with AES can expose cleartext passwords if the AES key is hard-coded in the source. The issue occurs when the AES option is enabled; the default key value is always used, enabling an attacker with internal...

7.5CVSS6.4AI score0.00448EPSS
CVE
CVE
β€’added 2026/05/25 3:0 p.m.β€’40 views

CVE-2026-42797

CVE-2026-42797 (Apache Syncope) exposes a data-query related information disclosure via a misconfigured JEXL expression. An administrator with entitlements for Derived Schemas can craft a malicious JEXL expression that, if the requester also has User-read privileges, may access security-sensitive...

4.9CVSS5.8AI score0.00436EPSS
CVE
CVE
β€’added 2025/10/20 2:43 p.m.β€’34 views

CVE-2025-57738

CVE-2025-57738 affects Apache Syncope where Groovy-based extensions can be injected by a privileged administrator to execute code remotely. The cited advisories describe that Groovy code execution arises from runtime-loaded Groovy implementations, enabling remote execution within a running Syncop...

7.2CVSS6.8AI score0.23107EPSS
CVE
CVE
β€’added 2026/05/25 2:58 p.m.β€’31 views

CVE-2026-42782

CVE-2026-42782 affects Apache Syncope 3.0–3.0.16, 4.0–4.0.5, and 4.1.0, caused by improper isolation that lets an administrator with sufficient entitlements load a malicious Groovy class whose static initializer reaches a non-sandboxed execution path. Remediation is to upgrade to 4.0.6 or 4.1.1, ...

7.2CVSS6AI score0.00652EPSS
CVE
CVE
β€’added 2026/02/03 3:14 p.m.β€’18 views

CVE-2026-23795

CVE-2026-23795 describes an XML External Entity (XXE) vulnerability in the Apache Syncope Console. An administrator with sufficient entitlements to create or edit Keymaster parameters can craft malicious XML text to trigger XXE, potentially leaking sensitive data. Affected versions: Apache Syncop...

4.9CVSS5.2AI score0.00827EPSS
CVE
CVE
β€’added 2026/02/03 3:15 p.m.β€’15 views

CVE-2026-23794

Summary: CVE-2026-23794 is a reflected XSS affecting Apache Syncope Enduser Login page. A attacker can lure a user to click a crafted link and, upon login, potentially steal credentials. Affected versions: 3.0–3.0.15 and 4.0–4.0.3. Remediation: upgrade to 3.0.16 or 4.0.4 (or later). The CVSS v3.1...

6.8CVSS5.3AI score0.00362EPSS