Apache Software Foundation Apache Syncope vulnerabilities

10 known vulnerabilities affecting apache_software_foundation/apache_syncope.

Total CVEs

10

CISA KEV

0

Public exploits

2

Exploited in wild

0

Severity breakdown

HIGH4MEDIUM6

Vulnerabilities

Page 1 of 1

CVE-2026-23795MEDIUMCVSS 4.9≥ 3.0, ≤ 3.0.15≥ 4.0, ≤ 4.0.32026-02-03

CVE-2026-23795 [MEDIUM] CWE-611 CVE-2026-23795: Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An ad Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. This issue affects Apache Syncope: from 3.0 through 3.0

CVE-2026-23794MEDIUMCVSS 6.8≥ 3.0, ≤ 3.0.15≥ 4.0, ≤ 4.0.32026-02-03

CVE-2026-23794 [MEDIUM] CWE-79 CVE-2026-23794: Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fi

CVE-2025-65998HIGHCVSS 7.5≥ 2.1, ≤ 2.1.14≥ 3.0, ≤ 3.0.14+1 more2025-11-24

CVE-2025-65998 [HIGH] CWE-321 CVE-2025-65998: Apache Syncope can be configured to store the user password values in the internal database with AES Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct th

CVE-2025-57738HIGHCVSS 7.2≥ 2.1, ≤ 2.1.14≥ 3.0, ≤ 3.0.13+1 more2025-10-20

CVE-2025-57738 [HIGH] CWE-653 CVE-2025-57738: Apache Syncope offers the ability to extend / customize the base behavior on every deployment by all Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload. Such a feature has been av

CVE-2024-45031MEDIUMCVSS 6.1≥ 2.1, ≤ 2.1.14≥ 3.0, ≤ 3.0.82024-10-24

CVE-2024-45031 [MEDIUM] CWE-79 CVE-2024-45031: When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanit When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser when editing “Personal Information” or “User Requests”: su

CVE-2024-38503MEDIUMCVSS 5.4≥ 2.1, ≤ 2.1.14≥ 3.0, ≤ 3.0.72024-07-22

CVE-2024-38503 [MEDIUM] CWE-79 CVE-2024-38503: When editing a user, group or any object in the Syncope Console, HTML tags could be added to any tex When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”. Users are recommended to upgrade to version 3.0.8, which fixes this issue.

CVE-2018-17186HIGHCVSS 7.2vApache Syncope releases prior to 2.0.11 and 2.1.22018-11-06

CVE-2018-17186 [HIGH] CWE-611 CVE-2018-17186: An administrator with workflow definition entitlements can use DTD to perform malicious operations, An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.

CVE-2018-17184MEDIUMCVSS 5.4vApache Syncope releases prior to 2.0.11 and 2.1.22018-11-06

CVE-2018-17184 [MEDIUM] CWE-79 CVE-2018-17184: A malicious user with enough administration entitlements can inject html-like elements containing Ja A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.

CVE-2018-1321HIGHCVSS 7.2PoCvReleases prior to 1.2.11, Releases prior to 2.0.8vThe unsupported Releases 1.0.x, 1.1.x may be also affected.2018-03-20

CVE-2018-1321 [HIGH] CWE-20 CVE-2018-1321: An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution.

CVE-2018-1322MEDIUMCVSS 4.9PoCvReleases prior to 1.2.11, Releases prior to 2.0.8vThe unsupported Releases 1.0.x, 1.1.x may be also affected.2018-03-20

CVE-2018-1322 [MEDIUM] CWE-200 CVE-2018-1322: An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2 An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters.