GHSA-jmrf-85g8-x8xv

Suggest an improvement
Source
https://github.com/advisories/GHSA-jmrf-85g8-x8xv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-jmrf-85g8-x8xv/GHSA-jmrf-85g8-x8xv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jmrf-85g8-x8xv
Aliases
  • CVE-2024-45031
Published
2024-10-24T15:31:08Z
Modified
2024-10-24T19:12:14.749908Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Apache Syncope: Stored XSS in Console and Enduser
Details

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser when editing “Personal Information” or “User Requests”: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking.

Users are recommended to upgrade to version 3.0.9, which fixes this issue.

References

Affected packages

Maven / org.apache.syncope.client:syncope-client-console

Package

Name
org.apache.syncope.client:syncope-client-console
View open source insights on deps.dev
Purl
pkg:maven/org.apache.syncope.client/syncope-client-console

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Last affected
2.1.14

Affected versions

2.*

2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14