Skip to main content

Syncope CVE-2018-1322

MEDIUM
Information Exposure (CWE-200)
2018-03-20 security@apache.org
4.9
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Mar 20, 2018 - 17:29 nvd
MEDIUM 4.9

DescriptionNVD

An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters.

AnalysisAI

An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters. Affected products include: Apache Syncope. Version information: before 1.2.11.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

CVE-2018-1321 HIGH POC
7.2 Mar 20

An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and un

CVE-2020-1961 CRITICAL
9.8 May 04

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1

CVE-2020-1959 CRITICAL
9.8 May 04

A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary

CVE-2020-11977 HIGH
7.2 Sep 15

In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow

CVE-2018-17186 HIGH
7.2 Nov 06

An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not li

CVE-2026-23794 MEDIUM
6.8 Feb 03

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a maliciou

CVE-2014-0111 MEDIUM
6.5 Apr 17

Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via

CVE-2024-45031 MEDIUM
6.1 Oct 24

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. Rated mediu

CVE-2024-38503 MEDIUM
5.4 Jul 22

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could le

CVE-2018-17184 MEDIUM
5.4 Nov 06

A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements

CVE-2014-3503 MEDIUM
5.0 Jul 11

Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attack

CVE-2026-23795 MEDIUM
4.9 Feb 03

Syncope versions up to 3.0.15 is affected by improper restriction of xml external entity reference (CVSS 4.9).

Share

CVE-2018-1322 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy