Skip to content

Apache Syncope Improper Input Validation vulnerability

Moderate severity GitHub Reviewed Published Jul 22, 2024 to the GitHub Advisory Database • Updated Sep 11, 2024

Package

maven org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui (Maven)

Affected versions

>= 2.1.0, < 3.0.8

Patched versions

3.0.8
maven org.apache.syncope.client.idrepo:syncope-client-idrepo-console (Maven)
>= 2.1.0, < 3.0.8
3.0.8

Description

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits.
The same vulnerability was found in the Syncope Enduser, when editing "Personal Information" or "User Requests".

Users are recommended to upgrade to version 3.0.8, which fixes this issue.

References

Published by the National Vulnerability Database Jul 22, 2024
Published to the GitHub Advisory Database Jul 22, 2024
Reviewed Jul 22, 2024
Last updated Sep 11, 2024

Severity

Moderate

EPSS score

0.062%
(27th percentile)

Weaknesses

CVE ID

CVE-2024-38503

GHSA ID

GHSA-8pxv-x6jq-5vw9

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.