CVE-2019-17557

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

5.4MEDIUM

EPSS

1.2%

top 21.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Syncope

Timeline

PublishedMay 4

Latest updateJan 6

Description

It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶Mavenorg.apache.syncope.client:syncope-client-enduser2.1.0 — 2.1.6+1

▶NVDapache/syncope2.0.0 — 2.0.15+1

▶CVEListV5apache_syncopeApache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6

🔴Vulnerability Details

GHSA

Cross-site scripting in Apache Syncome EndUser↗2022-01-06

▶

OSV

Cross-site scripting in Apache Syncome EndUser↗2022-01-06

▶

CVEList

CVE-2019-17557: It was found that the Apache Syncope EndUser UI login page prio to 2↗2020-05-04

▶