CVE-2018-17184

CWE-79Cross-site Scripting (XSS)CWE-7994 documents4 sources
Severity
5.4MEDIUM
EPSS
1.0%
top 22.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache SyncopeApache Software Foundation Apache Syncope
Timeline
PublishedNov 6

Description

A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

NVDapache/syncope2.0.02.0.11+1
Mavenorg.apache.syncope:syncope-core2.1.02.1.2+1
CVEListV5apache_software_foundation/apache_syncopeApache Syncope releases prior to 2.0.11 and 2.1.2

🔴Vulnerability Details

3
OSV
Improper Control of Interaction Frequency in Apache syncope-core2018-11-06
GHSA
Improper Control of Interaction Frequency in Apache syncope-core2018-11-06
CVEList
CVE-2018-17184: A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report n2018-11-06
CVE-2018-17184 (MEDIUM CVSS 5.4) | A malicious user with enough admini | cvebase.io