CVE-2024-38503
Apache Syncope: HTML tags can be injected into Console or Enduser text fields
Severity Score
"-"
*CVSS v-
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits.
The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”.
Users are recommended to upgrade to version 3.0.8, which fixes this issue.
Al editar un usuario, grupo o cualquier objeto en Syncope Console, se podrían agregar etiquetas HTML a cualquier campo de texto y podrían dar lugar a posibles exploits. La misma vulnerabilidad se encontró en Syncope Enduser, al editar “Personal Information” o “User Requests”. Se recomienda a los usuarios actualizar a la versión 3.0.8, que soluciona este problema.
*Credits:
Basalt IT-Security Team
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-06-18 CVE Reserved
- 2024-07-22 CVE Published
- 2024-09-11 CVE Updated
- 2024-09-12 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2024/07/22/3 |
|
|
| https://www.openwall.com/lists/oss-security/2024/07/22/3 |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Syncope Search vendor "Apache Software Foundation" for product "Apache Syncope" | >= 2.1.0 <= 2.1.14 Search vendor "Apache Software Foundation" for product "Apache Syncope" and version " >= 2.1.0 <= 2.1.14" | en |
Affected
| ||||||
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Syncope Search vendor "Apache Software Foundation" for product "Apache Syncope" | >= 3.0.0 <= 3.0.7 Search vendor "Apache Software Foundation" for product "Apache Syncope" and version " >= 3.0.0 <= 3.0.7" | en |
Affected
| ||||||