[MAVEN:GHSA-8PXV-X6JQ-5VW9] Apache Syncope Improper Input Validation vulnerability

Severity Moderate

Affected Packages 2

Fixed Packages 2

CVEs 1

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits.
The same vulnerability was found in the Syncope Enduser, when editing "Personal Information" or "User Requests".

Users are recommended to upgrade to version 3.0.8, which fixes this issue.

Package	Affected Version
pkg:maven/org.apache.syncope.client.idrepo/syncope-client-idrepo-console	>= 2.1.0, < 3.0.8
pkg:maven/org.apache.syncope.client.idrepo/syncope-client-idrepo-common-ui	>= 2.1.0, < 3.0.8

Package	Fixed Version
pkg:maven/org.apache.syncope.client.idrepo/syncope-client-idrepo-console	= 3.0.8
pkg:maven/org.apache.syncope.client.idrepo/syncope-client-idrepo-common-ui	= 3.0.8

ID: MAVEN:GHSA-8PXV-X6JQ-5VW9
Severity: moderate
URL: https://github.com/advisories/GHSA-8pxv-x6jq-5vw9
Published: 2024-07-22T12:30:37
(8 weeks ago)
Modified: 2024-07-22T18:43:42
(8 weeks ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2024-38503
			https://syncope.apache.org/security#cve-2024-38503-html-tags-can-be-injected-into-console-or-enduser
			http://www.openwall.com/lists/oss-security/2024/07/22/3
			https://github.com/apache/syncope/commit/12e65f5fb12ad87ce0b223b3c2bb39025a4521e4
			https://github.com/apache/syncope/releases/tag/syncope-3.0.8
			https://github.com/advisories/GHSA-8pxv-x6jq-5vw9

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.apache.syncope.client.idrepo/syncope-client-idrepo-console	org.apache.syncope.client.idrepo	syncope-client-idrepo-console	>= 2.1.0 < 3.0.8
Fixed	pkg:maven/org.apache.syncope.client.idrepo/syncope-client-idrepo-console	org.apache.syncope.client.idrepo	syncope-client-idrepo-console	= 3.0.8
Affected	pkg:maven/org.apache.syncope.client.idrepo/syncope-client-idrepo-common-ui	org.apache.syncope.client.idrepo	syncope-client-idrepo-common-ui	>= 2.1.0 < 3.0.8
Fixed	pkg:maven/org.apache.syncope.client.idrepo/syncope-client-idrepo-common-ui	org.apache.syncope.client.idrepo	syncope-client-idrepo-common-ui	= 3.0.8

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date