Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
apache syncope vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2020-1959
A Server-Side Template Injection was identified in Apache Syncope before 2.1.6 enabling malicious users to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom cons...
Apache Syncope
9.8
CVSSv3
CVE-2020-1961
Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases before 2.0.15, 2.1.X releases before 2.1.6, enabling malicious users to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) exists.
Apache Syncope
7.2
CVSSv3
CVE-2020-11977
In Apache Syncope 2.1.X releases before 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.
Apache Syncope
7.2
CVSSv3
CVE-2018-17186
An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.
Apache Syncope
7.2
CVSSv3
CVE-2018-1321
An administrator with report and template entitlements in Apache Syncope 1.2.x prior to 1.2.11, 2.0.x prior to 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations (XSLT) to perform malicious operations, including but not limited...
Apache Syncope 1.0.8
Apache Syncope 1.1.0
Apache Syncope 1.1.7
Apache Syncope 1.2.0
Apache Syncope 1.0.0
Apache Syncope 1.0.4
Apache Syncope 1.0.5
Apache Syncope 1.0.6
Apache Syncope
Apache Syncope 1.1.1
Apache Syncope 1.1.2
Apache Syncope 1.1.3
Apache Syncope 1.1.4
Apache Syncope 1.1.5
Apache Syncope 1.0.7
Apache Syncope 1.0.9
Apache Syncope 1.1.6
Apache Syncope 1.1.8
1 EDB exploit
5.4
CVSSv3
CVE-2019-17557
It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.
Apache Syncope
5.4
CVSSv3
CVE-2018-17184
A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entiti...
Apache Syncope
4.9
CVSSv3
CVE-2018-1322
An administrator with user search entitlements in Apache Syncope 1.2.x prior to 1.2.11, 2.0.x prior to 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters.
Apache Syncope
Apache Syncope 1.1.4
Apache Syncope 1.1.5
Apache Syncope 1.1.6
Apache Syncope 1.1.7
Apache Syncope 1.0.5
Apache Syncope 1.0.7
Apache Syncope 1.0.6
Apache Syncope 1.0.8
Apache Syncope 1.0.0
Apache Syncope 1.0.4
Apache Syncope 1.0.9
Apache Syncope 1.1.1
Apache Syncope 1.1.3
Apache Syncope 1.1.8
Apache Syncope 1.0.3
Apache Syncope 1.1.0
Apache Syncope 1.1.2
1 EDB exploit
NA
CVE-2014-3503
Apache Syncope 1.1.x prior to 1.1.8 uses weak random values to generate passwords, which makes it easier for remote malicious users to guess the password via a brute force attack.
Apache Syncope 1.1.7
Apache Syncope 1.1.0
Apache Syncope 1.1.4
Apache Syncope 1.1.3
Apache Syncope 1.1.6
Apache Syncope 1.1.5
Apache Syncope 1.1.2
Apache Syncope 1.1.1
NA
CVE-2014-0111
Apache Syncope 1.0.0 prior to 1.0.9 and 1.1.0 prior to 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, "derived schema definition," "user / role templates," and "account links of re...
Apache Syncope
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-3201
CVE-2024-4779
CVE-2024-35090
CVE-2024-5084
hard-coded
CVE-2024-4985
HTML injection
CVE-2024-33655
local file inclusion
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started