GHSA-9h9c-f287-c6vp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9h9c-f287-c6vp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-9h9c-f287-c6vp/GHSA-9h9c-f287-c6vp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9h9c-f287-c6vp
- Aliases
- Published
- 2018-11-06T23:16:18Z
- Modified
- 2023-11-08T04:00:03.163820Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Improper Control of Interaction Frequency in Apache syncope-core
- Details
-
A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.
- Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2020-06-16T21:28:47Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-799" ] }- References
Affected packages
Maven / org.apache.syncope:syncope-core
Package
- Name
- org.apache.syncope:syncope-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.syncope/syncope-core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.0.11
Affected versions
1.*
1.0.0-RC1-incubating
1.0.0-RC2-incubating
1.0.0-RC3-incubating
1.0.0-incubating
1.0.1-incubating
1.0.2-incubating
1.0.3-incubating
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.2.0-M1
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
2.*
2.0.0-M1
2.0.0-M2
2.0.0-M3
2.0.0-M4
2.0.0.M5
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
Maven / org.apache.syncope:syncope-core
Package
- Name
- org.apache.syncope:syncope-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.syncope/syncope-core