XSLT Vulnerability in Apache Syncope Affects Multiple Versions
CVE-2018-1321

7.2HIGH

Key Information:

Vendor: Apache
Status: Apache Syncope
Vendor: CVE Published:; 20 March 2018

🔔 Create Apache Vulnerability Alert

What is CVE-2018-1321?

An issue exists in Apache Syncope that allows an administrator with specific report and template entitlements to exploit XSL Transformations (XSLT). This exploitation can lead to unauthorized actions such as reading files, writing files, and executing code on the affected systems. Administrators must be aware of the versions that are vulnerable to ensure they implement appropriate security measures.

Affected Version(s)

Apache Syncope Releases prior to 1.2.11, Releases prior to 2.0.8

Apache Syncope The unsupported Releases 1.0.x, 1.1.x may be also affected.

References

http://www.securityfocus.com/bid/103508

vdb-entryx_refsource_BID

http://syncope.apache.org/security.html#CVE-2018-1321:_Re...

x_refsource_MISC

https://www.exploit-db.com/exploits/45400/

exploitx_refsource_EXPLOIT-DB

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2018
Vulnerability Reserved
Dec 7, 2017

.