PT-2018-13940 · Apache+2 · Apache Syncope+2

Publicado

2018-11-06

Atualizado

2018-12-13

CVE-2018-17184

CVSS v3.1

5.4

Média

Vetor

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions No specific software or versions mentioned

Description A malicious user with sufficient administration entitlements can inject html-like elements containing JavaScript statements into various fields, such as Connector names, Report names, AnyTypeClass keys, and Policy descriptions. When another user with sufficient administration entitlements edits one of these entities via the Admin Console, the injected JavaScript code is executed.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-799CWE-79

Identificadores relacionados

CVE-2018-17184

GHSA-9H9C-F287-C6VP

Produtos afetados

Apache Syncope

Org.Apache.Syncope:Syncope-Core

Syncope

PT-2018-13940 · Apache+2 · Apache Syncope+2

CVE-2018-17184

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5