Syncope
CVE-2026-23794
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 14 maven packages depend on org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui (5 direct, 9 indirect)
Ecosystem-wide dependent count for version 3.0.0.
DescriptionCVE.org
Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials.
This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.
Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.
AnalysisAI
Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. [CVSS 6.8 MEDIUM]
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Syncope. Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials.
This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.
Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.
RemediationAI
Update to version 3.0.16 or later. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and un
Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1
A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary
An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupporte
In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow
An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not li
Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via
When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. Rated mediu
When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could le
A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attack
Syncope versions up to 3.0.15 is affected by improper restriction of xml external entity reference (CVSS 4.9).
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-v84m-gfw5-hm2w