CVE-2024-38503

MEDIUM

Syncope Console <3.0.8 - XSS

Title source: llm

Description

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”. Users are recommended to upgrade to version 3.0.8, which fixes this issue.

References (3)

[Vendor Advisory] https://syncope.apache.org/security#cve-2024-38503-html-tags-can-be-injected-into-console-or-enduser

[Mailing List] https://www.openwall.com/lists/oss-security/2024/07/22/3

[Mailing List] http://www.openwall.com/lists/oss-security/2024/07/22/3

Scores

CVSS v3 5.4

EPSS 0.0340

EPSS Percentile 87.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (3)

apache/syncope < 2.1.14

org.apache.syncope.client.idrepo/syncope-client-idrepo-common-ui < 3.0.8Maven

org.apache.syncope.client.idrepo/syncope-client-idrepo-console < 3.0.8Maven

Timeline

Published Jul 22, 2024

Tracked Since Feb 18, 2026