Severity: moderate

Affected versions:

- Apache Syncope 2.1 through 2.1.14
- Apache Syncope 3.0 through 3.0.8

Description:

When editing objects in the Syncope Console, incomplete HTML tags could be used 
to bypass HTML sanitization. This made it possible to inject stored XSS 
payloads which would trigger for other users during ordinary usage of the 
application.
XSS payloads could also be injected in Syncope Enduser when editing “Personal 
Information” or “User Requests”: such payloads would trigger for administrators 
in Syncope Console, thus enabling session hijacking.

Users are recommended to upgrade to version 3.0.9, which fixes this issue.

Credit:

Kasper Karlsson, Omegapoint (finder)
Pontus Hanssen, Omegapoint (finder)

References:

https://syncope.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-45031

Reply via email to