CVE-2018-1321 – org.apache.syncope:syncope-core

Package

Manager: maven
Name: org.apache.syncope:syncope-core
Vulnerable Version: >=0 <1.2.11 || >=2.0.0 <2.0.8

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.11561 pctl0.93378

Details

High severity vulnerability that affects org.apache.syncope:syncope-core An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11 and 2.0.x before 2.0.8 can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution.

Metadata

Created: 2018-11-06T23:17:27Z
Modified: 2024-03-04T20:44:41Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-xgc9-9w4v-h33h/GHSA-xgc9-9w4v-h33h.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-xgc9-9w4v-h33h
Finding: F184
Auto approve: 1