This is an automated email from the ASF dual-hosted git repository.
ilgrosso pushed a commit to branch 3_0_X
in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/3_0_X by this push:
new 8919a4038f Website sources update
8919a4038f is described below
commit 8919a4038f105ee5546c3f4f1edc7888ec0a867a
Author: Francesco Chicchiriccò <[email protected]>
AuthorDate: Thu Oct 24 10:00:51 2024 +0200
Website sources update
---
src/site/xdoc/release-process.xml | 8 +++-----
src/site/xdoc/security.xml | 40 +++++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+), 5 deletions(-)
diff --git a/src/site/xdoc/release-process.xml
b/src/site/xdoc/release-process.xml
index 8fdb047325..6b54481c48 100644
--- a/src/site/xdoc/release-process.xml
+++ b/src/site/xdoc/release-process.xml
@@ -496,10 +496,8 @@ svn mv -m "Moving the voted release artifacts to
dist/release" \
https://dist.apache.org/repos/dist/dev/syncope/$VERSION
https://dist.apache.org/repos/dist/release/syncope/
-svn co https://dist.apache.org/repos/dist/release/syncope syncope-dist-release
-cd syncope-dist-release
-svn rm <any older release artifact (if present)>
-svn commit -m "Cleaning up older releases"]]></source>
+svn rm -m "Cleaning up older releases" \
+https://dist.apache.org/repos/dist/release/syncope/$OLD_VERSION/]]></source>
</li>
<li>
Add appropriate release notes to
@@ -516,7 +514,7 @@ svn commit -m "Cleaning up older releases"]]></source>
<source><![CDATA[
svn co https://svn.apache.org/repos/asf/syncope/site/
cd site
-svn rm *.html apidocs rest css images img js fonts docs
+svn rm *.html apidocs rest css images img js fonts docs xref*
svn mv $VERSION/* .
svn rm $VERSION
svn commit -m "Promoting the staging site"]]></source>
diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index 35837aff36..536be0edab 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -36,6 +36,46 @@ under the License.
<p>If you want to report a vulnerability, please follow <a
href="https://www.apache.org/security/";>the procedure</a>.</p>
+ <subsection name="CVE-2024-45031: Apache Syncope: Stored XSS in Console
and Enduser">
+ <p>When editing objects in the Syncope Console, incomplete HTML tags
could be used to bypass HTML sanitization. This made it possible to inject
stored XSS payloads which would trigger for other users during ordinary usage
of the application.<br/>
+XSS payloads could also be injected in Syncope Enduser when editing “Personal
Information” or “User Requests”: such payloads would trigger for administrators
in Syncope Console, thus enabling session hijacking.</p>
+
+ <p>
+ <b>Severity</b>
+ </p>
+ <p>Moderate</p>
+
+ <p>
+ <b>Affects</b>
+ </p>
+ <p>
+ <ul>
+ <li>3.0 through 3.0.8</li>
+ <li>2.1 through 2.1.14</li>
+ </ul>
+ </p>
+
+ <p>
+ <b>Solution</b>
+ </p>
+ <p>
+ <ul>
+ <li>Users are recommended to upgrade to version 3.0.9, which fixes
this issue.</li>
+ </ul>
+ </p>
+
+ <p>
+ <b>Fixed in</b>
+ </p>
+ <p>
+ <ul>
+ <li>Release 3.0.9</li>
+ </ul>
+ </p>
+
+ <p>Read the <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45031";>full CVE
advisory</a>.</p>
+ </subsection>
+
<subsection name="CVE-2024-38503: HTML tags can be injected into Console
or Enduser text fields">
<p>When editing a user, group or any object in the Syncope Console,
HTML tags could be added to any text field and could lead to potential exploits.
The same vulnerability was found in the Syncope Enduser, when editing
“Personal Information” or “User Requests”.</p>
