oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[CVE-2019-17557] Enduser UI XSS

From: Francesco Chicchiriccò <ilgrosso () apache org>
Date: Sat, 2 May 2020 14:27:25 +0200
Description:
It was found that the EndUser UI login page reflects the successMessage parameters.
By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.

Severity: Medium

Vendor: The Apache Software Foundation

Affects:
2.0.X releases prior to 2.0.15
2.1.X releases prior to 2.1.6

Solution:
2.0.X users: upgrade to 2.0.15
2.1.X users: upgrade to 2.1.6

Credit:
This issue was independently discovered by CNCERT songmingxuan and GitHub Security Lab team member Alvaro Muñoz - 
https://github.com/pwntester

References:
https://syncope.apache.org/security
Previous By Date Next
Previous By Thread Next

Current thread: