Syncope Security Vulnerabilities and Issues — Syncope CVE List

Lucene search

ApacheSyncope

3 matches found

CVE•added 2020/05/04 1:15 p.m.•65 views

CVE-2020-1959

A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When...

9.8CVSS9.8AI score0.01649EPSS

CVE•added 2020/05/04 1:15 p.m.•64 views

CVE-2020-1961

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered.

9.8CVSS9.8AI score0.07128EPSS

CVE•added 2020/05/04 1:15 p.m.•59 views

CVE-2019-17557

It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.

5.4CVSS5.5AI score0.01193EPSS