Author: ilgrosso
Date: Mon Feb 2 12:10:47 2026
New Revision: 1931655
Log:
Updating security page
Modified:
syncope/site/security.html
Modified: syncope/site/security.html
==============================================================================
--- syncope/site/security.html Mon Feb 2 11:44:09 2026 (r1931654)
+++ syncope/site/security.html Mon Feb 2 12:10:47 2026 (r1931655)
@@ -97,6 +97,129 @@
<p>If you want to report a vulnerability, please follow <a
href="https://www.apache.org/security/"; class="externalLink">the
procedure</a>.</p>
+ <section><a
id="CVE-2026-23795.3A_Apache_Syncope.3A_Console_XXE_on_Keymaster_parameters"></a>
+<h2>CVE-2026-23795: Apache Syncope: Console XXE on Keymaster parameters</h2>
+
+<p>Improper Restriction of XML External Entity Reference vulnerability in
Apache Syncope Console.</p>
+
+<p>An administrator with adequate entitlements to create or edit Keymaster
parameters via Console can construct malicious XML text to launch an XXE
attack, thereby causing sensitive data leakage occurs.
+Reflected XSS in Apache Syncope's Enduser Login page.</p>
+
+
+<p>
+ <b>Severity</b>
+ </p>
+
+<p>Important</p>
+
+
+<p>
+ <b>Affects</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>4.0 through 4.0.3</li>
+
+<li>3.0 through 3.0.15</li>
+ </ul>
+
+
+
+<p>
+ <b>Solution</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Users are recommended to upgrade to version 4.0.4 / 3.0.16 which fix this
issue.</li>
+ </ul>
+
+
+
+<p>
+ <b>Fixed in</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Release 4.0.4</li>
+
+<li>Release 3.0.16</li>
+ </ul>
+
+
+
+<p>Read the <a href="https://www.cve.org/CVERecord?id=CVE-2026-23795";
class="externalLink">full CVE advisory</a>.</p>
+ </section>
+
+ <section><a
id="CVE-2026-23794.3A_Apache_Syncope.3A_Reflected_XSS_on_Enduser_Login"></a>
+<h2>CVE-2026-23794: Apache Syncope: Reflected XSS on Enduser Login</h2>
+
+<p>Reflected XSS in Apache Syncope's Enduser Login page.</p>
+
+<p>An attacker that tricks a legitimate user into clicking a malicious link
and logging in to Syncope Enduser could steal that user's credentials.</p>
+
+
+<p>
+ <b>Severity</b>
+ </p>
+
+<p>Important</p>
+
+
+<p>
+ <b>Affects</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>4.0 through 4.0.3</li>
+
+<li>3.0 through 3.0.15</li>
+ </ul>
+
+
+
+<p>
+ <b>Solution</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Users are recommended to upgrade to version 4.0.4 / 3.0.16 which fix this
issue.</li>
+ </ul>
+
+
+
+<p>
+ <b>Fixed in</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Release 4.0.4</li>
+
+<li>Release 3.0.16</li>
+ </ul>
+
+
+
+<p>Read the <a href="https://www.cve.org/CVERecord?id=CVE-2026-23794";
class="externalLink">full CVE advisory</a>.</p>
+ </section>
+
<section><a
id="CVE-2025-65998.3A_Apache_Syncope.3A_Default_AES_key_used_for_internal_password_encryption"></a>
<h2>CVE-2025-65998: Apache Syncope: Default AES key used for internal password
encryption</h2>
