CVE-2018-1321
HIGH7.2EPSS 6.4%High severity vulnerability that affects org.apache.syncope:syncope-core
Published: 11/6/2018Modified: 3/4/2024
Description
An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11 and 2.0.x before 2.0.8 can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution.
Affected packages (1)
- Maven/org.apache.syncope:syncope-corefrom 0, < 1.2.11
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
References (7)
- ADVISORYhttps://github.com/advisories/GHSA-xgc9-9w4v-h33h
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-1321
- WEBhttps://github.com/apache/syncope/commit/726231fbf7b817bd2a9467171dcb1c0087c75bc
- WEBhttps://github.com/apache/syncope/commit/ad31479c1c543ac7d26b8c882aa14f6c00c1fd0
- WEBhttps://www.exploit-db.com/exploits/45400
- WEBhttp://syncope.apache.org/security.html#CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements
- WEBhttp://www.securityfocus.com/bid/103508