Skip to main content

Syncope

14 CVEs product

Monthly

CVE-2026-23795 Maven MEDIUM PATCH This Month

Syncope versions up to 3.0.15 is affected by improper restriction of xml external entity reference (CVSS 4.9).

Apache XXE Syncope
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2026-23794 Maven MEDIUM PATCH This Month

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. [CVSS 6.8 MEDIUM]

Apache XSS Syncope
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-65998 Maven HIGH PATCH This Month

Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Syncope
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-45031 Maven MEDIUM This Month

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Syncope
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-38503 Maven MEDIUM PATCH This Month

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Syncope
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2020-11977 Maven HIGH PATCH This Week

In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache RCE Syncope
NVD
CVSS 3.1
7.2
EPSS
2.8%
CVE-2020-1961 Maven CRITICAL PATCH Act Now

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Syncope
NVD
CVSS 3.1
9.8
EPSS
4.6%
CVE-2020-1959 Maven CRITICAL PATCH Act Now

A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java RCE Syncope
NVD
CVSS 3.1
9.8
EPSS
4.8%
CVE-2018-17186 Maven HIGH PATCH This Week

An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE RCE Syncope
NVD
CVSS 3.0
7.2
EPSS
2.5%
CVE-2018-17184 Maven MEDIUM PATCH This Month

A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Syncope
NVD
CVSS 3.0
5.4
EPSS
1.2%
CVE-2018-1322 Maven MEDIUM POC PATCH THREAT This Month

An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Information Disclosure Syncope
NVD Exploit-DB
CVSS 3.0
4.9
EPSS
20.5%
CVE-2018-1321 Maven HIGH POC PATCH THREAT This Week

An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache RCE Syncope
NVD Exploit-DB
CVSS 3.0
7.2
EPSS
18.0%
CVE-2014-3503 Maven MEDIUM PATCH This Month

Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Apache Syncope
NVD
CVSS 2.0
5.0
EPSS
1.9%
CVE-2014-0111 Maven MEDIUM PATCH This Month

Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, "derived schema. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Java RCE Code Injection Apache Syncope
NVD VulDB
CVSS 2.0
6.5
EPSS
1.4%
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Syncope versions up to 3.0.15 is affected by improper restriction of xml external entity reference (CVSS 4.9).

Apache XXE Syncope
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. [CVSS 6.8 MEDIUM]

Apache XSS Syncope
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Month

Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Syncope
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Syncope
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Syncope
NVD
EPSS 3% CVSS 7.2
HIGH PATCH This Week

In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache RCE Syncope
NVD
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Syncope
NVD
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java RCE +1
NVD
EPSS 2% CVSS 7.2
HIGH PATCH This Week

An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE RCE Syncope
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Syncope
NVD
EPSS 21% CVSS 4.9
MEDIUM POC PATCH THREAT This Month

An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Information Disclosure Syncope
NVD Exploit-DB
EPSS 18% CVSS 7.2
HIGH POC PATCH THREAT This Week

An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache RCE Syncope
NVD Exploit-DB
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Apache Syncope
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, "derived schema. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Java RCE Code Injection +2
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy