Skip to main content

Syncope CVE-2024-45031

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-10-24 security@apache.org
6.1
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from Vendor (apache) · only source for this CVE.

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 24, 2024 - 15:15 cve.org
MEDIUM 6.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 maven packages depend on org.apache.syncope.client:syncope-client-console (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.1.0.

DescriptionCVE.org

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser when editing “Personal Information” or “User Requests”: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking.

Users are recommended to upgrade to version 3.0.9, which fixes this issue.

AnalysisAI

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser when editing “Personal Information” or “User Requests”: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking. Users are recommended to upgrade to version 3.0.9, which fixes this issue. Affected products include: Apache Syncope. Version information: version 3.0.9.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2018-1321 HIGH POC
7.2 Mar 20

An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and un

CVE-2020-1961 CRITICAL
9.8 May 04

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1

CVE-2020-1959 CRITICAL
9.8 May 04

A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary

CVE-2018-1322 MEDIUM POC
4.9 Mar 20

An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupporte

CVE-2020-11977 HIGH
7.2 Sep 15

In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow

CVE-2018-17186 HIGH
7.2 Nov 06

An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not li

CVE-2026-23794 MEDIUM
6.8 Feb 03

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a maliciou

CVE-2014-0111 MEDIUM
6.5 Apr 17

Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via

CVE-2024-38503 MEDIUM
5.4 Jul 22

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could le

CVE-2018-17184 MEDIUM
5.4 Nov 06

A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements

CVE-2014-3503 MEDIUM
5.0 Jul 11

Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attack

CVE-2026-23795 MEDIUM
4.9 Feb 03

Syncope versions up to 3.0.15 is affected by improper restriction of xml external entity reference (CVSS 4.9).

Share

CVE-2024-45031 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy