Vulnerabilities > Apache > Syncope > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-07-22 CVE-2024-38503 Unspecified vulnerability in Apache Syncope
When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”. Users are recommended to upgrade to version 3.0.8, which fixes this issue.
network
low complexity
apache
5.4
2020-05-04 CVE-2019-17557 Cross-site Scripting vulnerability in Apache Syncope
It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters.
network
low complexity
apache CWE-79
5.4
2018-11-06 CVE-2018-17184 Cross-site Scripting vulnerability in Apache Syncope
A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions.
network
low complexity
apache CWE-79
5.4
2018-03-20 CVE-2018-1322 Information Exposure vulnerability in Apache Syncope
An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters.
network
low complexity
apache CWE-200
4.9