Author: ilgrosso
Date: Fri Nov 7 11:26:16 2025
New Revision: 1929578
Log:
Two new committers in, updating team page
Modified:
syncope/site/security.html
syncope/site/team.html
Modified: syncope/site/security.html
==============================================================================
--- syncope/site/security.html Fri Nov 7 10:52:00 2025 (r1929577)
+++ syncope/site/security.html Fri Nov 7 11:26:16 2025 (r1929578)
@@ -97,69 +97,70 @@
<p>If you want to report a vulnerability, please follow <a
href="https://www.apache.org/security/"; class="externalLink">the
procedure</a>.</p>
- <section><a id="CVE-2025-57738"></a>
+ <section><a
id="CVE-2025-57738.3A_Apache_Syncope.3A_Remote_Code_Execution_by_delegated_administrators"></a>
<h2>CVE-2025-57738: Apache Syncope: Remote Code Execution by delegated
administrators</h2>
-
+
<p>Apache Syncope offers the ability to extend / customize the base behavior
on every deployment by allowing to provide custom implementations of a few Java
interfaces; such implementations can be provided either as Java or Groovy
classes, with the latter being particularly attractive as the machinery is set
for runtime reload.
Such a feature has been available for a while, but recently it was discovered
that a malicious administrator can inject Groovy code that can be executed
remotely by a running Apache Syncope Core instance.
Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this
issue by forcing the Groovy code to run in a sandbox.</p>
-
+
<p>
<b>Severity</b>
</p>
-
+
<p>Moderate</p>
-
+
<p>
<b>Affects</b>
</p>
-
+
<p>
</p>
<ul>
-
+
<li>4.0 through 4.0.1</li>
-
+
<li>3.0 through 3.0.13</li>
-
+
<li>2.1 through 2.1.14</li>
</ul>
+
-
-
+
<p>
<b>Solution</b>
</p>
-
+
<p>
</p>
<ul>
-
+
<li>Users are recommended to upgrade to version 4.0.2 / 3.0.14 which fix this
issue.</li>
</ul>
+
-
-
+
<p>
<b>Fixed in</b>
</p>
-
+
<p>
</p>
<ul>
-
+
<li>Release 4.0.2</li>
+
<li>Release 3.0.14</li>
</ul>
+
-
-
+
<p>Read the <a href="https://www.cve.org/CVERecord?id=CVE-2025-57738";
class="externalLink">full CVE advisory</a>.</p>
</section>
-<section><a
id="CVE-2024-45031.3A_Apache_Syncope.3A_Stored_XSS_in_Console_and_Enduser"></a>
+ <section><a
id="CVE-2024-45031.3A_Apache_Syncope.3A_Stored_XSS_in_Console_and_Enduser"></a>
<h2>CVE-2024-45031: Apache Syncope: Stored XSS in Console and Enduser</h2>
<p>When editing objects in the Syncope Console, incomplete HTML tags could be
used to bypass HTML sanitization. This made it possible to inject stored XSS
payloads which would trigger for other users during ordinary usage of the
application.<br />
Modified: syncope/site/team.html
==============================================================================
--- syncope/site/team.html Fri Nov 7 10:52:00 2025 (r1929577)
+++ syncope/site/team.html Fri Nov 7 11:26:16 2025 (r1929578)
@@ -302,7 +302,25 @@
<td>-</td>
<td>Tirasa</td>
<td><a class="externalLink"
href="https://www.tirasa.net/";>https://www.tirasa.net/</a></td>
-<td>PMC member</td></tr></table></section><section><a id="Contributors"></a>
+<td>PMC member</td></tr>
+<tr class="a">
+<td><figure><img src="avatars/00000000000000000000000000000000.jpg"
/></figure></td>
+<td><a id="matato"></a>matato</td>
+<td>Matteo Tatoni</td>
+<td><a class="externalLink"
href="mailto:[email protected]";>[email protected]</a></td>
+<td>-</td>
+<td>Tirasa</td>
+<td><a class="externalLink"
href="https://www.tirasa.net/";>https://www.tirasa.net/</a></td>
+<td>committer</td></tr>
+<tr class="b">
+<td><figure><img src="avatars/00000000000000000000000000000000.jpg"
/></figure></td>
+<td><a id="abogi"></a>abogi</td>
+<td>Alberto Bogi</td>
+<td><a class="externalLink"
href="mailto:[email protected]";>[email protected]</a></td>
+<td>-</td>
+<td>Tirasa</td>
+<td><a class="externalLink"
href="https://www.tirasa.net/";>https://www.tirasa.net/</a></td>
+<td>committer</td></tr></table></section><section><a id="Contributors"></a>
<h2>Contributors</h2>
<p>The following additional people have contributed to this project through
the way of suggestions, patches or documentation.</p>
<table class="table table-striped">
