oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2024-38503: Apache Syncope: HTML tags can be injected into Console or Enduser text fields

From: Francesco Chicchiriccò <ilgrosso () apache org>
Date: Mon, 22 Jul 2024 09:35:35 +0000
Severity: moderate

Affected versions:

- Apache Syncope 2.1 through 2.1.14
- Apache Syncope 3.0 through 3.0.7

Description:

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could 
lead to potential exploits.
The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”.

Users are recommended to upgrade to version 3.0.8, which fixes this issue.

Credit:

Basalt IT-Security Team (finder)

References:

https://syncope.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-38503
Previous By Date Next
Previous By Thread Next

Current thread: