CVE-2024-45031

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-45031

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45031.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-45031

Aliases

GHSA-jmrf-85g8-x8xv

Published

2024-10-24T15:15:13.533Z

Modified

2026-03-14T12:36:21.561539Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser when editing “Personal Information” or “User Requests”: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking.

Users are recommended to upgrade to version 3.0.9, which fixes this issue.

References

Affected packages

Git / github.com/apache/syncope

Affected ranges

Type

GIT

Repo

https://github.com/apache/syncope

Events

Introduced

49c2e53ba6baf1423a89b5ab9a24aa665a5780ad

Fixed

44dd536d7994c07644f1cd0e113d396a6f867714

Database specific

{
    "versions": [
        {
            "introduced": "2.1.0"
        },
        {
            "fixed": "3.0.9"
        }
    ]
}

Affected versions

syncope-2.*

syncope-2.1.0

syncope-3.*

syncope-3.0.0

syncope-3.0.0-M0

syncope-3.0.0-M1

syncope-3.0.0-M2

syncope-3.0.1

syncope-3.0.2

syncope-3.0.3

syncope-3.0.4

syncope-3.0.5

syncope-3.0.6

syncope-3.0.7

syncope-3.0.8

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45031.json"