CVE-2018-1321

Name of the Vulnerable Software and Affected Versions: Apache Syncope versions 1.0.x through 1.2.10 Apache Syncope versions 2.0.x through 2.0.7 Apache Syncope version 1.1.x

Description: The issue is related to insufficient input validation in the implementation of XSLT technology in Apache Syncope, allowing an administrator with report and template entitlements to perform malicious operations. These operations include file read, file write, and code execution. The vulnerability can be exploited by a remote attacker.

Recommendations: For Apache Syncope versions 1.0.x through 1.2.10, update to version 1.2.11 or later. For Apache Syncope versions 2.0.x through 2.0.7, update to version 2.0.8 or later. For Apache Syncope version 1.1.x, consider upgrading to a supported release, as this version is unsupported. As a temporary workaround, consider restricting the use of XSL Transformations (XSLT) for administrators with report and template entitlements until a patch is available.