// For flags

CVE-2024-38503

Apache Syncope: HTML tags can be injected into Console or Enduser text fields

Severity Score

"-"
*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits.
The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”.

Users are recommended to upgrade to version 3.0.8, which fixes this issue.

Al editar un usuario, grupo o cualquier objeto en Syncope Console, se podrían agregar etiquetas HTML a cualquier campo de texto y podrían dar lugar a posibles exploits. La misma vulnerabilidad se encontró en Syncope Enduser, al editar “Personal Information” o “User Requests”. Se recomienda a los usuarios actualizar a la versión 3.0.8, que soluciona este problema.

*Credits: Basalt IT-Security Team
CVSS Scores
Attack Vector
-
Attack Complexity
-
Privileges Required
-
User Interaction
-
Scope
-
Confidentiality
-
Integrity
-
Availability
-
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-06-18 CVE Reserved
  • 2024-07-22 CVE Published
  • 2024-09-11 CVE Updated
  • 2024-09-12 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache Software Foundation
Search vendor "Apache Software Foundation"
Apache Syncope
Search vendor "Apache Software Foundation" for product "Apache Syncope"
>= 2.1.0 <= 2.1.14
Search vendor "Apache Software Foundation" for product "Apache Syncope" and version " >= 2.1.0 <= 2.1.14"
en
Affected
Apache Software Foundation
Search vendor "Apache Software Foundation"
Apache Syncope
Search vendor "Apache Software Foundation" for product "Apache Syncope"
>= 3.0.0 <= 3.0.7
Search vendor "Apache Software Foundation" for product "Apache Syncope" and version " >= 3.0.0 <= 3.0.7"
en
Affected