Description: It was found that the EndUser UI login page reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.
Severity: Medium Vendor: The Apache Software Foundation Affects: 2.0.X releases prior to 2.0.15 2.1.X releases prior to 2.1.6 Solution: 2.0.X users: upgrade to 2.0.15 2.1.X users: upgrade to 2.1.6 Credit: This issue was independently discovered by CNCERT songmingxuan and GitHub Security Lab team member Alvaro Muñoz - https://github.com/pwntester References: https://syncope.apache.org/security