Incomplete HTML Tags Can Bypass HTML Sanitization and Lead to XSS Injection in Syncope Console
CVE-2024-45031

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Syncope
Vendor: CVE Published:; 24 October 2024

Summary

A cross-site scripting (XSS) vulnerability has been identified in the Apache Syncope Console. The vulnerability arises from the usage of incomplete HTML tags during the object editing process, allowing attackers to circumvent HTML sanitization measures. This could lead to the injection of stored XSS payloads that are executed for other users while they engage with the application normally. Additionally, similar XSS payloads can be injected in the Syncope Enduser interface when users edit their 'Personal Information' or 'User Requests.' This compromises the security of the console, as it potentially enables session hijacking for administrators working within the Syncope Console. Users are strongly advised to upgrade to version 3.0.9, which effectively addresses this security issue.

Affected Version(s)

Apache Syncope 2.1 <= 2.1.14

Apache Syncope 3.0 <= 3.0.8

References

https://lists.apache.org/thread/fn567pfmo3s55ofkc42drz8b4...

vendor-advisory

Timeline

Vulnerability published
Oct 24, 2024
Vulnerability Reserved
Aug 21, 2024

Credit

Kasper Karlsson, Omegapoint

Pontus Hanssen, Omegapoint