CVE-2024-38503

MEDIUM

Apache Syncope 2.1.0-2.1.13 Stored XSS in Console/Enduser Text Fields

Title source: llm

Description

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”. Users are recommended to upgrade to version 3.0.8, which fixes this issue.

References (3)

Core 3

Core References

Mailing List

https://www.openwall.com/lists/oss-security/2024/07/22/3

Mailing List

http://www.openwall.com/lists/oss-security/2024/07/22/3

Vendor Advisory vendor-advisory

https://syncope.apache.org/security#cve-2024-38503-html-tags-can-be-injected-into-console-or-enduser

Scores

CVSS v3 5.4

EPSS 0.0596

EPSS Percentile 90.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

apache/syncope 2.1.0 - 2.1.14

org.apache.syncope.client.idrepo/syncope-client-idrepo-common-ui 2.1.0 - 3.0.8Maven

org.apache.syncope.client.idrepo/syncope-client-idrepo-console 2.1.0 - 3.0.8Maven

Published Jul 22, 2024

Tracked Since Feb 18, 2026