Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04cHh2LXg2anEtNXZ3Oc4AA-Ev

Apache Syncope Improper Input Validation vulnerability

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits.
The same vulnerability was found in the Syncope Enduser, when editing "Personal Information" or "User Requests".

Users are recommended to upgrade to version 3.0.8, which fixes this issue.

Permalink: https://github.com/advisories/GHSA-8pxv-x6jq-5vw9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cHh2LXg2anEtNXZ3Oc4AA-Ev
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 5 days ago


CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-8pxv-x6jq-5vw9, CVE-2024-38503
References: Repository: https://github.com/apache/syncope
Blast Radius: 6.2

Affected Packages

maven:org.apache.syncope.client.idrepo:syncope-client-idrepo-console
Dependent packages: 2
Dependent repositories: 9
Downloads:
Affected Version Ranges: >= 2.1.0, < 3.0.8
Fixed in: 3.0.8
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7
All unaffected versions: 3.0.8, 3.0.9
maven:org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui
Dependent packages: 3
Dependent repositories: 9
Downloads:
Affected Version Ranges: >= 2.1.0, < 3.0.8
Fixed in: 3.0.8
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7
All unaffected versions: 3.0.8, 3.0.9