Search criteria
42 vulnerabilities found for syncope by apache
FKIE_CVE-2025-65998
Vulnerability from fkie_nvd - Published: 2025-11-24 14:15 - Updated: 2025-11-26 14:30
Severity ?
Summary
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.
When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.
This is not affecting encrypted plain attributes, whose values are also stored using AES encryption.
Users are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/fjh0tb0d1xkbphc5ogdsc348ppz88cts | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/11/24/1 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D773E581-822F-4431-BEFB-48BE61A743EC",
"versionEndIncluding": "2.1.14",
"versionStartIncluding": "2.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DE40E959-C93C-43E0-80AE-4FAB31C47165",
"versionEndExcluding": "3.0.15",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EFD9390D-0F3F-453D-ACCC-BFF74C6D9623",
"versionEndExcluding": "4.0.3",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.\n\nWhen AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.\nThis is not affecting encrypted plain attributes, whose values are also stored using AES encryption.\n\nUsers are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue."
}
],
"id": "CVE-2025-65998",
"lastModified": "2025-11-26T14:30:26.730",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-11-24T14:15:48.417",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/fjh0tb0d1xkbphc5ogdsc348ppz88cts"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/11/24/1"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-321"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-57738
Vulnerability from fkie_nvd - Published: 2025-10-20 15:15 - Updated: 2025-11-04 22:16
Severity ?
Summary
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.
Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.
Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8823A707-C1A3-4418-8DC2-CB879C8D2D8A",
"versionEndExcluding": "3.0.14",
"versionStartIncluding": "2.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8722F657-C2A5-49FE-B79D-2B06F030A8AF",
"versionEndExcluding": "4.0.2",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.\nSuch a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.\nUsers are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox."
}
],
"id": "CVE-2025-57738",
"lastModified": "2025-11-04T22:16:31.757",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-10-20T15:15:33.553",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Release Notes"
],
"url": "https://lists.apache.org/thread/x7cv6xv7z76y49grdr1hgj1pzw5zbby6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/10/20/1"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-653"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-45031
Vulnerability from fkie_nvd - Published: 2024-10-24 15:15 - Updated: 2025-09-29 21:48
Severity ?
Summary
When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application.
XSS payloads could also be injected in Syncope Enduser when editing “Personal Information” or “User Requests”: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking.
Users are recommended to upgrade to version 3.0.9, which fixes this issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/fn567pfmo3s55ofkc42drz8b4kgbhp9m | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/10/24/2 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64C7680C-A187-4DEF-BD86-FC6268B28388",
"versionEndExcluding": "3.0.9",
"versionStartIncluding": "2.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application.\nXSS payloads could also be injected in Syncope Enduser when editing \u201cPersonal Information\u201d or \u201cUser Requests\u201d: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking.\n\nUsers are recommended to upgrade to version 3.0.9, which fixes this issue."
},
{
"lang": "es",
"value": "Al editar objetos en Syncope Console, se pod\u00edan usar etiquetas HTML incompletas para evitar la desinfecci\u00f3n de HTML. Esto hac\u00eda posible inyectar payloads XSS almacenados que se activaban para otros usuarios durante el uso normal de la aplicaci\u00f3n. Los payloads XSS tambi\u00e9n se pod\u00edan inyectar en Syncope Enduser al editar \u201cInformaci\u00f3n personal\u201d o \u201cSolicitudes de usuario\u201d: dichos payloads se activaban para los administradores en Syncope Console, lo que permit\u00eda el secuestro de sesiones. Se recomienda a los usuarios que actualicen a la versi\u00f3n 3.0.9, que soluciona este problema."
}
],
"id": "CVE-2024-45031",
"lastModified": "2025-09-29T21:48:09.880",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-10-24T15:15:13.533",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/fn567pfmo3s55ofkc42drz8b4kgbhp9m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/10/24/2"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-38503
Vulnerability from fkie_nvd - Published: 2024-07-22 10:15 - Updated: 2024-12-06 22:15
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
3.9 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
3.9 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Summary
When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits.
The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”.
Users are recommended to upgrade to version 3.0.8, which fixes this issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D773E581-822F-4431-BEFB-48BE61A743EC",
"versionEndIncluding": "2.1.14",
"versionStartIncluding": "2.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79835E04-29F1-42AD-BCA2-B1452B9FE448",
"versionEndExcluding": "3.0.8",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits.\nThe same vulnerability was found in the Syncope Enduser, when editing \u201cPersonal Information\u201d or \u201cUser Requests\u201d.\n\nUsers are recommended to upgrade to version 3.0.8, which fixes this issue."
},
{
"lang": "es",
"value": " Al editar un usuario, grupo o cualquier objeto en Syncope Console, se podr\u00edan agregar etiquetas HTML a cualquier campo de texto y podr\u00edan dar lugar a posibles exploits. La misma vulnerabilidad se encontr\u00f3 en Syncope Enduser, al editar \u201cPersonal Information\u201d o \u201cUser Requests\u201d. Se recomienda a los usuarios actualizar a la versi\u00f3n 3.0.8, que soluciona este problema."
}
],
"id": "CVE-2024-38503",
"lastModified": "2024-12-06T22:15:19.420",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 2.5,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-22T10:15:08.723",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://syncope.apache.org/security#cve-2024-38503-html-tags-can-be-injected-into-console-or-enduser"
},
{
"source": "security@apache.org",
"url": "https://www.openwall.com/lists/oss-security/2024/07/22/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2024/07/22/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://syncope.apache.org/security#cve-2024-38503-html-tags-can-be-injected-into-console-or-enduser"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
FKIE_CVE-2020-11977
Vulnerability from fkie_nvd - Published: 2020-09-15 20:15 - Updated: 2024-11-21 04:59
Severity ?
Summary
In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "19F75F8C-F0A1-45E6-A900-24A45BE2ACD8",
"versionEndExcluding": "2.1.7",
"versionStartIncluding": "2.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution."
},
{
"lang": "es",
"value": "En Apache Syncope versiones 2.1.X anteriores a 2.1.7, cuando la extensi\u00f3n Flowable est\u00e1 habilitada, un administrador con derechos de flujo de trabajo (workflow) puede usar Shell Service Tasks para llevar a cabo operaciones maliciosas, incluyendo pero sin limitarse a una lectura de archivos, una escritura de archivos y una ejecuci\u00f3n de c\u00f3digo"
}
],
"id": "CVE-2020-11977",
"lastModified": "2024-11-21T04:59:01.910",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-15T20:15:13.040",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://syncope.apache.org/security#CVE-2020-11977:_Remote_Code_Execution_via_Flowable_workflow_definition"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://syncope.apache.org/security#CVE-2020-11977:_Remote_Code_Execution_via_Flowable_workflow_definition"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-1961
Vulnerability from fkie_nvd - Published: 2020-05-04 13:15 - Updated: 2024-11-21 05:11
Severity ?
Summary
Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://syncope.apache.org/security | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://syncope.apache.org/security | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "35845EE4-A8AC-4F33-8317-CEF91BB492E3",
"versionEndExcluding": "2.0.15",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "31260109-834D-4DCF-AA29-754026EC13A2",
"versionEndExcluding": "2.1.6",
"versionStartIncluding": "2.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Inyecci\u00f3n de Plantillas del Lado del Servidor en las plantillas de Correo para Apache Syncope versiones 2.0.X anteriores a la versi\u00f3n 2.0.15, versiones 2.1.X anteriores a la versi\u00f3n 2.1.6, que permiten a atacantes inyectar expresiones JEXL arbitrarias, conllevando a una Ejecuci\u00f3n de C\u00f3digo Remota (RCE)."
}
],
"id": "CVE-2020-1961",
"lastModified": "2024-11-21T05:11:44.600",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-04T13:15:14.033",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "http://syncope.apache.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://syncope.apache.org/security"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-1959
Vulnerability from fkie_nvd - Published: 2020-05-04 13:15 - Updated: 2024-11-21 05:11
Severity ?
Summary
A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://syncope.apache.org/security | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://syncope.apache.org/security | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "31260109-834D-4DCF-AA29-754026EC13A2",
"versionEndExcluding": "2.1.6",
"versionStartIncluding": "2.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code."
},
{
"lang": "es",
"value": "Se identific\u00f3 una Inyecci\u00f3n de Plantillas del Lado del Servidor en Apache Syncope versiones anteriores a la versi\u00f3n 2.1.6, que permit\u00eda a atacantes inyectar expresiones JEXL arbitrarias, conllevando a una vulnerabilidad de Ejecuci\u00f3n de C\u00f3digo Remota (RCE) no autenticada. Apache Syncope usa validadores de restricciones personalizadas Java Bean Validation (JSR 380). Cuando se construyen mensajes de error de violaci\u00f3n de restricciones personalizadas, ellos soportan diferentes tipos de interpolaci\u00f3n, incluyendo expresiones de Java EL. Por lo tanto, si un atacante puede inyectar datos arbitrarios en la plantilla de mensajes de error que es pasada, ellos ser\u00edan capaces de ejecutar c\u00f3digo Java arbitrario."
}
],
"id": "CVE-2020-1959",
"lastModified": "2024-11-21T05:11:44.377",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-04T13:15:13.533",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "http://syncope.apache.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://syncope.apache.org/security"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-917"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-17557
Vulnerability from fkie_nvd - Published: 2020-05-04 13:15 - Updated: 2024-11-21 04:32
Severity ?
Summary
It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://syncope.apache.org/security | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://syncope.apache.org/security | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "35845EE4-A8AC-4F33-8317-CEF91BB492E3",
"versionEndExcluding": "2.0.15",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "31260109-834D-4DCF-AA29-754026EC13A2",
"versionEndExcluding": "2.1.6",
"versionStartIncluding": "2.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string."
},
{
"lang": "es",
"value": "Se ha descubierto que la p\u00e1gina de inicio Apache Syncope EndUser UI versiones anteriores a la versi\u00f3n 2.0.15 y 2.1.6, refleja el par\u00e1metro successMessage. Por este motivo, un usuario que accede a la Interfaz de Usuario de Enduser podr\u00eda ejecutar c\u00f3digo javascript desde una cadena de consulta de URL."
}
],
"id": "CVE-2019-17557",
"lastModified": "2024-11-21T04:32:31.327",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-04T13:15:11.657",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "http://syncope.apache.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://syncope.apache.org/security"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-17186
Vulnerability from fkie_nvd - Published: 2018-11-06 20:29 - Updated: 2024-11-21 03:54
Severity ?
Summary
An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions | Mitigation, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DED2B48B-C25E-42B9-8CDB-12148CE18CE6",
"versionEndIncluding": "2.0.11",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4D6A13F-E1C8-4C9F-B551-90200C351FC1",
"versionEndIncluding": "2.1.2",
"versionStartIncluding": "2.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution."
},
{
"lang": "es",
"value": "Un administrador con permisos de definici\u00f3n de flujos de trabajo puede emplear DTD para realizar operaciones maliciosas, incluyendo pero sin limitarse a la lectura y escritura de archivos, y a la ejecuci\u00f3n de c\u00f3digo."
}
],
"id": "CVE-2018-17186",
"lastModified": "2024-11-21T03:54:02.740",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-11-06T20:29:00.217",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-17184
Vulnerability from fkie_nvd - Published: 2018-11-06 19:29 - Updated: 2024-11-21 03:54
Severity ?
Summary
A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "05AFF8AB-60D2-4BE8-83E1-696FCCD68127",
"versionEndExcluding": "2.0.11",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A46F29D6-E4E8-4715-8A1B-AF6B14954858",
"versionEndExcluding": "2.1.2",
"versionStartIncluding": "2.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed."
},
{
"lang": "es",
"value": "Un usuario malicioso con suficientes permisos de administrador puede inyectar elementos de tipo html que contienen instrucciones JavaScript en los nombres Connector y Report, las claves AnyTypeClass y las descripciones Policy. Cuando otro usuario con suficientes permisos de administraci\u00f3n edita una de las Entidades anteriores mediante la Consola de Administrador, el c\u00f3digo JavaScript inyectado se ejecuta."
}
],
"id": "CVE-2018-17184",
"lastModified": "2024-11-21T03:54:02.603",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-11-06T19:29:00.433",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-65998 (GCVE-0-2025-65998)
Vulnerability from cvelistv5 – Published: 2025-11-24 13:47 – Updated: 2025-11-24 15:36
VLAI?
Summary
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.
When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.
This is not affecting encrypted plain attributes, whose values are also stored using AES encryption.
Users are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.
Severity ?
No CVSS data available.
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Syncope |
Affected:
2.1 , ≤ 2.1.14
(semver)
Affected: 3.0 , ≤ 3.0.14 (semver) Affected: 4.0 , ≤ 4.0.2 (semver) |
Credits
Clemens Bergmann (Technical University of Darmstadt)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-24T15:04:26.790Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/24/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-65998",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T15:35:31.369551Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T15:36:14.583Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.syncope.core:syncope-core-spring",
"product": "Apache Syncope",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.14",
"status": "affected",
"version": "2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.14",
"status": "affected",
"version": "3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.0.2",
"status": "affected",
"version": "4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Clemens Bergmann (Technical University of Darmstadt)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eApache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.\u003c/p\u003e\u003cp\u003eWhen AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.\u003cbr\u003eThis is not affecting encrypted plain attributes, whose values are also stored using AES encryption.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.\u003c/p\u003e"
}
],
"value": "Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.\n\nWhen AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.\nThis is not affecting encrypted plain attributes, whose values are also stored using AES encryption.\n\nUsers are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T13:47:03.979Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/fjh0tb0d1xkbphc5ogdsc348ppz88cts"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Syncope: Default AES key used for internal password encryption",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-65998",
"datePublished": "2025-11-24T13:47:03.979Z",
"dateReserved": "2025-11-19T08:09:02.428Z",
"dateUpdated": "2025-11-24T15:36:14.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-57738 (GCVE-0-2025-57738)
Vulnerability from cvelistv5 – Published: 2025-10-20 14:43 – Updated: 2025-11-04 21:13
VLAI?
Summary
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.
Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.
Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.
Severity ?
No CVSS data available.
CWE
- CWE-653 - Improper Isolation or Compartmentalization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Syncope |
Affected:
2.1 , ≤ 2.1.14
(semver)
Affected: 3.0 , ≤ 3.0.13 (semver) Affected: 4.0 , ≤ 4.0.1 (semver) |
Credits
Mike Cole (Mantel Group)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-57738",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T15:13:38.012543Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:15:48.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:18.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/20/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Syncope",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.14",
"status": "affected",
"version": "2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.13",
"status": "affected",
"version": "3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.0.1",
"status": "affected",
"version": "4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mike Cole (Mantel Group)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.\u003cbr\u003eSuch a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.\u003cbr\u003eUsers are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox."
}
],
"value": "Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.\nSuch a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.\nUsers are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653 Improper Isolation or Compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T14:43:39.985Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/x7cv6xv7z76y49grdr1hgj1pzw5zbby6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Syncope: Remote Code Execution by delegated administrators",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-57738",
"datePublished": "2025-10-20T14:43:39.985Z",
"dateReserved": "2025-08-19T06:32:04.510Z",
"dateUpdated": "2025-11-04T21:13:18.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45031 (GCVE-0-2024-45031)
Vulnerability from cvelistv5 – Published: 2024-10-24 14:21 – Updated: 2025-09-01 09:41
VLAI?
Summary
When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application.
XSS payloads could also be injected in Syncope Enduser when editing “Personal Information” or “User Requests”: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking.
Users are recommended to upgrade to version 3.0.9, which fixes this issue.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Syncope |
Affected:
2.1 , ≤ 2.1.14
(semver)
Affected: 3.0 , ≤ 3.0.8 (semver) |
Credits
Kasper Karlsson, Omegapoint
Pontus Hanssen, Omegapoint
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45031",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-24T14:50:27.777412Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-25T21:20:21.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-10-24T15:03:34.904Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/10/24/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Syncope",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.14",
"status": "affected",
"version": "2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.8",
"status": "affected",
"version": "3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kasper Karlsson, Omegapoint"
},
{
"lang": "en",
"type": "finder",
"value": "Pontus Hanssen, Omegapoint"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application.\u003cbr\u003eXSS payloads could also be injected in Syncope Enduser when editing \u201cPersonal Information\u201d or \u201cUser Requests\u201d: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 3.0.9, which fixes this issue."
}
],
"value": "When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application.\nXSS payloads could also be injected in Syncope Enduser when editing \u201cPersonal Information\u201d or \u201cUser Requests\u201d: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking.\n\nUsers are recommended to upgrade to version 3.0.9, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-01T09:41:29.319Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/fn567pfmo3s55ofkc42drz8b4kgbhp9m"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Syncope: Stored XSS in Console and Enduser",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45031",
"datePublished": "2024-10-24T14:21:35.279Z",
"dateReserved": "2024-08-21T07:49:22.028Z",
"dateUpdated": "2025-09-01T09:41:29.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38503 (GCVE-0-2024-38503)
Vulnerability from cvelistv5 – Published: 2024-07-22 09:46 – Updated: 2024-12-06 21:48
VLAI?
Summary
When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits.
The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”.
Users are recommended to upgrade to version 3.0.8, which fixes this issue.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Syncope |
Affected:
2.1 , ≤ 2.1.14
(semver)
Affected: 3.0 , ≤ 3.0.7 (semver) |
Credits
Basalt IT-Security Team
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-38503",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T18:24:24.050542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T21:48:36.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:12:25.158Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://syncope.apache.org/security#cve-2024-38503-html-tags-can-be-injected-into-console-or-enduser"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/22/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Syncope",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.14",
"status": "affected",
"version": "2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.7",
"status": "affected",
"version": "3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Basalt IT-Security Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits.\u003cbr\u003eThe same vulnerability was found in the Syncope Enduser, when editing \u201cPersonal Information\u201d or \u201cUser Requests\u201d.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 3.0.8, which fixes this issue."
}
],
"value": "When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits.\nThe same vulnerability was found in the Syncope Enduser, when editing \u201cPersonal Information\u201d or \u201cUser Requests\u201d.\n\nUsers are recommended to upgrade to version 3.0.8, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T11:11:11.543Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://syncope.apache.org/security#cve-2024-38503-html-tags-can-be-injected-into-console-or-enduser"
},
{
"url": "https://www.openwall.com/lists/oss-security/2024/07/22/3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Syncope: HTML tags can be injected into Console or Enduser text fields",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-38503",
"datePublished": "2024-07-22T09:46:39.285Z",
"dateReserved": "2024-06-18T08:50:18.444Z",
"dateUpdated": "2024-12-06T21:48:36.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11977 (GCVE-0-2020-11977)
Vulnerability from cvelistv5 – Published: 2020-09-15 19:02 – Updated: 2024-08-04 11:48
VLAI?
Summary
In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.
Severity ?
No CVSS data available.
CWE
- Apache Syncope: Remote Code Execution via Flowable workflow definition
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Syncope |
Affected:
Apache Syncope 2.1.X releases prior to 2.1.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:57.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://syncope.apache.org/security#CVE-2020-11977:_Remote_Code_Execution_via_Flowable_workflow_definition"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Syncope",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Syncope 2.1.X releases prior to 2.1.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Apache Syncope: Remote Code Execution via Flowable workflow definition",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-15T19:02:51",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://syncope.apache.org/security#CVE-2020-11977:_Remote_Code_Execution_via_Flowable_workflow_definition"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-11977",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Syncope",
"version": {
"version_data": [
{
"version_value": "Apache Syncope 2.1.X releases prior to 2.1.7"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Apache Syncope: Remote Code Execution via Flowable workflow definition"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://syncope.apache.org/security#CVE-2020-11977:_Remote_Code_Execution_via_Flowable_workflow_definition",
"refsource": "MISC",
"url": "https://syncope.apache.org/security#CVE-2020-11977:_Remote_Code_Execution_via_Flowable_workflow_definition"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-11977",
"datePublished": "2020-09-15T19:02:51",
"dateReserved": "2020-04-21T00:00:00",
"dateUpdated": "2024-08-04T11:48:57.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1961 (GCVE-0-2020-1961)
Vulnerability from cvelistv5 – Published: 2020-05-04 12:28 – Updated: 2024-08-04 06:53
VLAI?
Summary
Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered.
Severity ?
No CVSS data available.
CWE
- Server-Side Template Injection on mail templates
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Syncope |
Affected:
Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:53:59.969Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://syncope.apache.org/security"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Syncope",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server-Side Template Injection on mail templates",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-04T12:28:53",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://syncope.apache.org/security"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-1961",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Syncope",
"version": {
"version_data": [
{
"version_value": "Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server-Side Template Injection on mail templates"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://syncope.apache.org/security",
"refsource": "MISC",
"url": "http://syncope.apache.org/security"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-1961",
"datePublished": "2020-05-04T12:28:53",
"dateReserved": "2019-12-02T00:00:00",
"dateUpdated": "2024-08-04T06:53:59.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-17557 (GCVE-0-2019-17557)
Vulnerability from cvelistv5 – Published: 2020-05-04 12:27 – Updated: 2024-08-05 01:40
VLAI?
Summary
It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.
Severity ?
No CVSS data available.
CWE
- Information Disclosure
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Syncope |
Affected:
Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:15.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://syncope.apache.org/security"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Syncope",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-04T12:27:31",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://syncope.apache.org/security"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-17557",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Syncope",
"version": {
"version_data": [
{
"version_value": "Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://syncope.apache.org/security",
"refsource": "MISC",
"url": "http://syncope.apache.org/security"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-17557",
"datePublished": "2020-05-04T12:27:31",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-05T01:40:15.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1959 (GCVE-0-2020-1959)
Vulnerability from cvelistv5 – Published: 2020-05-04 12:25 – Updated: 2024-08-04 06:54
VLAI?
Summary
A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code.
Severity ?
No CVSS data available.
CWE
- Multiple Remote Code Execution Vulnerabilities
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Syncope |
Affected:
Apache Syncope 2.1.X releases prior to 2.1.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:54:00.293Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://syncope.apache.org/security"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Syncope",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Syncope 2.1.X releases prior to 2.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Multiple Remote Code Execution Vulnerabilities",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-04T12:25:18",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://syncope.apache.org/security"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-1959",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Syncope",
"version": {
"version_data": [
{
"version_value": "Apache Syncope 2.1.X releases prior to 2.1.6"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Multiple Remote Code Execution Vulnerabilities"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://syncope.apache.org/security",
"refsource": "MISC",
"url": "http://syncope.apache.org/security"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-1959",
"datePublished": "2020-05-04T12:25:18",
"dateReserved": "2019-12-02T00:00:00",
"dateUpdated": "2024-08-04T06:54:00.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-17186 (GCVE-0-2018-17186)
Vulnerability from cvelistv5 – Published: 2018-11-06 21:00 – Updated: 2024-09-17 00:31
VLAI?
Summary
An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.
Severity ?
No CVSS data available.
CWE
- Remote code execution
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Syncope |
Affected:
Apache Syncope releases prior to 2.0.11 and 2.1.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:39:59.572Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Syncope",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Syncope releases prior to 2.0.11 and 2.1.2"
}
]
}
],
"datePublic": "2018-11-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote code execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-11-06T20:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-11-06T00:00:00",
"ID": "CVE-2018-17186",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Syncope",
"version": {
"version_data": [
{
"version_value": "Apache Syncope releases prior to 2.0.11 and 2.1.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote code execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions",
"refsource": "MISC",
"url": "https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-17186",
"datePublished": "2018-11-06T21:00:00Z",
"dateReserved": "2018-09-19T00:00:00",
"dateUpdated": "2024-09-17T00:31:30.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-17184 (GCVE-0-2018-17184)
Vulnerability from cvelistv5 – Published: 2018-11-06 19:00 – Updated: 2024-09-17 02:52
VLAI?
Summary
A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.
Severity ?
No CVSS data available.
CWE
- Information Disclosure
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Syncope |
Affected:
Apache Syncope releases prior to 2.0.11 and 2.1.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:39:59.596Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Syncope",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Syncope releases prior to 2.0.11 and 2.1.2"
}
]
}
],
"datePublic": "2018-11-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-11-06T18:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-11-06T00:00:00",
"ID": "CVE-2018-17184",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Syncope",
"version": {
"version_data": [
{
"version_value": "Apache Syncope releases prior to 2.0.11 and 2.1.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS",
"refsource": "MISC",
"url": "https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-17184",
"datePublished": "2018-11-06T19:00:00Z",
"dateReserved": "2018-09-19T00:00:00",
"dateUpdated": "2024-09-17T02:52:18.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-65998 (GCVE-0-2025-65998)
Vulnerability from nvd – Published: 2025-11-24 13:47 – Updated: 2025-11-24 15:36
VLAI?
Summary
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.
When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.
This is not affecting encrypted plain attributes, whose values are also stored using AES encryption.
Users are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.
Severity ?
No CVSS data available.
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Syncope |
Affected:
2.1 , ≤ 2.1.14
(semver)
Affected: 3.0 , ≤ 3.0.14 (semver) Affected: 4.0 , ≤ 4.0.2 (semver) |
Credits
Clemens Bergmann (Technical University of Darmstadt)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-24T15:04:26.790Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/24/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-65998",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T15:35:31.369551Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T15:36:14.583Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.syncope.core:syncope-core-spring",
"product": "Apache Syncope",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.14",
"status": "affected",
"version": "2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.14",
"status": "affected",
"version": "3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.0.2",
"status": "affected",
"version": "4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Clemens Bergmann (Technical University of Darmstadt)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eApache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.\u003c/p\u003e\u003cp\u003eWhen AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.\u003cbr\u003eThis is not affecting encrypted plain attributes, whose values are also stored using AES encryption.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.\u003c/p\u003e"
}
],
"value": "Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.\n\nWhen AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.\nThis is not affecting encrypted plain attributes, whose values are also stored using AES encryption.\n\nUsers are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T13:47:03.979Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/fjh0tb0d1xkbphc5ogdsc348ppz88cts"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Syncope: Default AES key used for internal password encryption",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-65998",
"datePublished": "2025-11-24T13:47:03.979Z",
"dateReserved": "2025-11-19T08:09:02.428Z",
"dateUpdated": "2025-11-24T15:36:14.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-57738 (GCVE-0-2025-57738)
Vulnerability from nvd – Published: 2025-10-20 14:43 – Updated: 2025-11-04 21:13
VLAI?
Summary
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.
Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.
Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.
Severity ?
No CVSS data available.
CWE
- CWE-653 - Improper Isolation or Compartmentalization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Syncope |
Affected:
2.1 , ≤ 2.1.14
(semver)
Affected: 3.0 , ≤ 3.0.13 (semver) Affected: 4.0 , ≤ 4.0.1 (semver) |
Credits
Mike Cole (Mantel Group)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-57738",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T15:13:38.012543Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:15:48.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:18.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/20/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Syncope",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.14",
"status": "affected",
"version": "2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.13",
"status": "affected",
"version": "3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.0.1",
"status": "affected",
"version": "4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mike Cole (Mantel Group)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.\u003cbr\u003eSuch a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.\u003cbr\u003eUsers are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox."
}
],
"value": "Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.\nSuch a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.\nUsers are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653 Improper Isolation or Compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T14:43:39.985Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/x7cv6xv7z76y49grdr1hgj1pzw5zbby6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Syncope: Remote Code Execution by delegated administrators",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-57738",
"datePublished": "2025-10-20T14:43:39.985Z",
"dateReserved": "2025-08-19T06:32:04.510Z",
"dateUpdated": "2025-11-04T21:13:18.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45031 (GCVE-0-2024-45031)
Vulnerability from nvd – Published: 2024-10-24 14:21 – Updated: 2025-09-01 09:41
VLAI?
Summary
When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application.
XSS payloads could also be injected in Syncope Enduser when editing “Personal Information” or “User Requests”: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking.
Users are recommended to upgrade to version 3.0.9, which fixes this issue.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Syncope |
Affected:
2.1 , ≤ 2.1.14
(semver)
Affected: 3.0 , ≤ 3.0.8 (semver) |
Credits
Kasper Karlsson, Omegapoint
Pontus Hanssen, Omegapoint
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45031",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-24T14:50:27.777412Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-25T21:20:21.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-10-24T15:03:34.904Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/10/24/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Syncope",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.14",
"status": "affected",
"version": "2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.8",
"status": "affected",
"version": "3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kasper Karlsson, Omegapoint"
},
{
"lang": "en",
"type": "finder",
"value": "Pontus Hanssen, Omegapoint"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application.\u003cbr\u003eXSS payloads could also be injected in Syncope Enduser when editing \u201cPersonal Information\u201d or \u201cUser Requests\u201d: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 3.0.9, which fixes this issue."
}
],
"value": "When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application.\nXSS payloads could also be injected in Syncope Enduser when editing \u201cPersonal Information\u201d or \u201cUser Requests\u201d: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking.\n\nUsers are recommended to upgrade to version 3.0.9, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-01T09:41:29.319Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/fn567pfmo3s55ofkc42drz8b4kgbhp9m"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Syncope: Stored XSS in Console and Enduser",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45031",
"datePublished": "2024-10-24T14:21:35.279Z",
"dateReserved": "2024-08-21T07:49:22.028Z",
"dateUpdated": "2025-09-01T09:41:29.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38503 (GCVE-0-2024-38503)
Vulnerability from nvd – Published: 2024-07-22 09:46 – Updated: 2024-12-06 21:48
VLAI?
Summary
When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits.
The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”.
Users are recommended to upgrade to version 3.0.8, which fixes this issue.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Syncope |
Affected:
2.1 , ≤ 2.1.14
(semver)
Affected: 3.0 , ≤ 3.0.7 (semver) |
Credits
Basalt IT-Security Team
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-38503",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T18:24:24.050542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T21:48:36.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:12:25.158Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://syncope.apache.org/security#cve-2024-38503-html-tags-can-be-injected-into-console-or-enduser"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/22/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Syncope",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.14",
"status": "affected",
"version": "2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.7",
"status": "affected",
"version": "3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Basalt IT-Security Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits.\u003cbr\u003eThe same vulnerability was found in the Syncope Enduser, when editing \u201cPersonal Information\u201d or \u201cUser Requests\u201d.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 3.0.8, which fixes this issue."
}
],
"value": "When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits.\nThe same vulnerability was found in the Syncope Enduser, when editing \u201cPersonal Information\u201d or \u201cUser Requests\u201d.\n\nUsers are recommended to upgrade to version 3.0.8, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T11:11:11.543Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://syncope.apache.org/security#cve-2024-38503-html-tags-can-be-injected-into-console-or-enduser"
},
{
"url": "https://www.openwall.com/lists/oss-security/2024/07/22/3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Syncope: HTML tags can be injected into Console or Enduser text fields",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-38503",
"datePublished": "2024-07-22T09:46:39.285Z",
"dateReserved": "2024-06-18T08:50:18.444Z",
"dateUpdated": "2024-12-06T21:48:36.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11977 (GCVE-0-2020-11977)
Vulnerability from nvd – Published: 2020-09-15 19:02 – Updated: 2024-08-04 11:48
VLAI?
Summary
In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.
Severity ?
No CVSS data available.
CWE
- Apache Syncope: Remote Code Execution via Flowable workflow definition
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Syncope |
Affected:
Apache Syncope 2.1.X releases prior to 2.1.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:57.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://syncope.apache.org/security#CVE-2020-11977:_Remote_Code_Execution_via_Flowable_workflow_definition"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Syncope",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Syncope 2.1.X releases prior to 2.1.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Apache Syncope: Remote Code Execution via Flowable workflow definition",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-15T19:02:51",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://syncope.apache.org/security#CVE-2020-11977:_Remote_Code_Execution_via_Flowable_workflow_definition"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-11977",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Syncope",
"version": {
"version_data": [
{
"version_value": "Apache Syncope 2.1.X releases prior to 2.1.7"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Apache Syncope: Remote Code Execution via Flowable workflow definition"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://syncope.apache.org/security#CVE-2020-11977:_Remote_Code_Execution_via_Flowable_workflow_definition",
"refsource": "MISC",
"url": "https://syncope.apache.org/security#CVE-2020-11977:_Remote_Code_Execution_via_Flowable_workflow_definition"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-11977",
"datePublished": "2020-09-15T19:02:51",
"dateReserved": "2020-04-21T00:00:00",
"dateUpdated": "2024-08-04T11:48:57.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1961 (GCVE-0-2020-1961)
Vulnerability from nvd – Published: 2020-05-04 12:28 – Updated: 2024-08-04 06:53
VLAI?
Summary
Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered.
Severity ?
No CVSS data available.
CWE
- Server-Side Template Injection on mail templates
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Syncope |
Affected:
Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:53:59.969Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://syncope.apache.org/security"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Syncope",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server-Side Template Injection on mail templates",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-04T12:28:53",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://syncope.apache.org/security"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-1961",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Syncope",
"version": {
"version_data": [
{
"version_value": "Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server-Side Template Injection on mail templates"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://syncope.apache.org/security",
"refsource": "MISC",
"url": "http://syncope.apache.org/security"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-1961",
"datePublished": "2020-05-04T12:28:53",
"dateReserved": "2019-12-02T00:00:00",
"dateUpdated": "2024-08-04T06:53:59.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-17557 (GCVE-0-2019-17557)
Vulnerability from nvd – Published: 2020-05-04 12:27 – Updated: 2024-08-05 01:40
VLAI?
Summary
It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.
Severity ?
No CVSS data available.
CWE
- Information Disclosure
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Syncope |
Affected:
Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:15.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://syncope.apache.org/security"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Syncope",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-04T12:27:31",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://syncope.apache.org/security"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-17557",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Syncope",
"version": {
"version_data": [
{
"version_value": "Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://syncope.apache.org/security",
"refsource": "MISC",
"url": "http://syncope.apache.org/security"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-17557",
"datePublished": "2020-05-04T12:27:31",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-05T01:40:15.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1959 (GCVE-0-2020-1959)
Vulnerability from nvd – Published: 2020-05-04 12:25 – Updated: 2024-08-04 06:54
VLAI?
Summary
A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code.
Severity ?
No CVSS data available.
CWE
- Multiple Remote Code Execution Vulnerabilities
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Syncope |
Affected:
Apache Syncope 2.1.X releases prior to 2.1.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:54:00.293Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://syncope.apache.org/security"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Syncope",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Syncope 2.1.X releases prior to 2.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Multiple Remote Code Execution Vulnerabilities",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-04T12:25:18",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://syncope.apache.org/security"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-1959",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Syncope",
"version": {
"version_data": [
{
"version_value": "Apache Syncope 2.1.X releases prior to 2.1.6"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Multiple Remote Code Execution Vulnerabilities"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://syncope.apache.org/security",
"refsource": "MISC",
"url": "http://syncope.apache.org/security"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-1959",
"datePublished": "2020-05-04T12:25:18",
"dateReserved": "2019-12-02T00:00:00",
"dateUpdated": "2024-08-04T06:54:00.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-17186 (GCVE-0-2018-17186)
Vulnerability from nvd – Published: 2018-11-06 21:00 – Updated: 2024-09-17 00:31
VLAI?
Summary
An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.
Severity ?
No CVSS data available.
CWE
- Remote code execution
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Syncope |
Affected:
Apache Syncope releases prior to 2.0.11 and 2.1.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:39:59.572Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Syncope",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Syncope releases prior to 2.0.11 and 2.1.2"
}
]
}
],
"datePublic": "2018-11-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote code execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-11-06T20:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-11-06T00:00:00",
"ID": "CVE-2018-17186",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Syncope",
"version": {
"version_data": [
{
"version_value": "Apache Syncope releases prior to 2.0.11 and 2.1.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote code execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions",
"refsource": "MISC",
"url": "https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-17186",
"datePublished": "2018-11-06T21:00:00Z",
"dateReserved": "2018-09-19T00:00:00",
"dateUpdated": "2024-09-17T00:31:30.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-17184 (GCVE-0-2018-17184)
Vulnerability from nvd – Published: 2018-11-06 19:00 – Updated: 2024-09-17 02:52
VLAI?
Summary
A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.
Severity ?
No CVSS data available.
CWE
- Information Disclosure
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Syncope |
Affected:
Apache Syncope releases prior to 2.0.11 and 2.1.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:39:59.596Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Syncope",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Syncope releases prior to 2.0.11 and 2.1.2"
}
]
}
],
"datePublic": "2018-11-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-11-06T18:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-11-06T00:00:00",
"ID": "CVE-2018-17184",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Syncope",
"version": {
"version_data": [
{
"version_value": "Apache Syncope releases prior to 2.0.11 and 2.1.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS",
"refsource": "MISC",
"url": "https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-17184",
"datePublished": "2018-11-06T19:00:00Z",
"dateReserved": "2018-09-19T00:00:00",
"dateUpdated": "2024-09-17T02:52:18.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}