CVE-2024-45031

MEDIUM

Syncope <3.0.9 - XSS

Title source: llm

Description

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser when editing “Personal Information” or “User Requests”: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking. Users are recommended to upgrade to version 3.0.9, which fixes this issue.

References (2)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/fn567pfmo3s55ofkc42drz8b4kgbhp9m

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2024/10/24/2

Scores

CVSS v3 6.1

EPSS 0.0139

EPSS Percentile 80.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (2)

apache/syncope < 3.0.9

org.apache.syncope.client/syncope-client-console Maven

Timeline

Published Oct 24, 2024

Tracked Since Feb 18, 2026