PT-2018-13940 · Apache+2 · Apache Syncope+2

Published

2018-11-06

Updated

2018-12-13

CVE-2018-17184

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions No specific software or versions mentioned

Description A malicious user with sufficient administration entitlements can inject html-like elements containing JavaScript statements into various fields, such as Connector names, Report names, AnyTypeClass keys, and Policy descriptions. When another user with sufficient administration entitlements edits one of these entities via the Admin Console, the injected JavaScript code is executed.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-799CWE-79

Related Identifiers

CVE-2018-17184

GHSA-9H9C-F287-C6VP

Affected Products

Apache Syncope

Org.Apache.Syncope:Syncope-Core

Syncope

PT-2018-13940 · Apache+2 · Apache Syncope+2

CVE-2018-17184

Weakness Enumeration

Related Identifiers

Affected Products

References · 5