CVE-2024-38503 – org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui

Package

Manager: maven
Name: org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui
Vulnerable Version: >=2.1.0 <3.0.8

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01148 pctl0.77673

Details

Apache Syncope Improper Input Validation vulnerability When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing "Personal Information" or "User Requests". Users are recommended to upgrade to version 3.0.8, which fixes this issue.

Metadata

Created: 2024-07-22T12:30:37Z
Modified: 2024-12-07T00:32:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-8pxv-x6jq-5vw9/GHSA-8pxv-x6jq-5vw9.json
CWE IDs: ["CWE-20", "CWE-79"]
Alternative ID: GHSA-8pxv-x6jq-5vw9
Finding: F425
Auto approve: 1