CVE-2024-38503

Summary

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”.

Users are recommended to upgrade to version 3.0.8, which fixes this issue.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Syncope2.1 <= 2.1.14affected
Apache Software FoundationApache Syncope3.0 <= 3.0.7affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References