GHSA-8pxv-x6jq-5vw9

Suggest an improvement
Source
https://github.com/advisories/GHSA-8pxv-x6jq-5vw9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-8pxv-x6jq-5vw9/GHSA-8pxv-x6jq-5vw9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8pxv-x6jq-5vw9
Aliases
Published
2024-07-22T12:30:37Z
Modified
2024-12-07T00:37:45.481925Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Apache Syncope Improper Input Validation vulnerability
Details

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing "Personal Information" or "User Requests".

Users are recommended to upgrade to version 3.0.8, which fixes this issue.

Database specific
{
    "nvd_published_at": "2024-07-22T10:15:08Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-22T18:43:41Z"
}
References

Affected packages

Maven / org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui

Package

Name
org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui
View open source insights on deps.dev
Purl
pkg:maven/org.apache.syncope.client.idrepo/syncope-client-idrepo-common-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
3.0.8

Affected versions

3.*

3.0.0-M0
3.0.0-M1
3.0.0-M2
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7

Maven / org.apache.syncope.client.idrepo:syncope-client-idrepo-console

Package

Name
org.apache.syncope.client.idrepo:syncope-client-idrepo-console
View open source insights on deps.dev
Purl
pkg:maven/org.apache.syncope.client.idrepo/syncope-client-idrepo-console

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
3.0.8

Affected versions

3.*

3.0.0-M0
3.0.0-M1
3.0.0-M2
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7