HTML Tag Vulnerability in Syncope Console Could Lead to Exploits

CVE-2024-38503

5.4MEDIUM

Key Information

Vendor
Apache
Status
Apache Syncope
Vendor
CVE Published:
22 July 2024

Summary

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”.

Users are recommended to upgrade to version 3.0.8, which fixes this issue.

Affected Version(s)

Apache Syncope <= 2.1.14

Apache Syncope <= 3.0.7

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

Basalt IT-Security Team
.