CVE-2024-45031

Name of the Vulnerable Software and Affected Versions Syncope versions prior to 3.0.9

Description The issue allows an attacker to bypass HTML sanitization by using incomplete HTML tags when editing objects in the Syncope Console. This enables the injection of stored XSS payloads, which can trigger for other users during normal application usage. Additionally, XSS payloads can be injected in Syncope Enduser when editing "Personal Information" or "User Requests", and these payloads can trigger for administrators in Syncope Console, allowing session hijacking.

Recommendations For versions prior to 3.0.9, upgrade to version 3.0.9 to fix the issue. As a temporary workaround, consider restricting the editing of objects in the Syncope Console and limiting access to the "Personal Information" and "User Requests" sections in Syncope Enduser to minimize the risk of exploitation.