CVE-2018-1321
HIGH7.2EPSS 6.4%High severity vulnerability that affects org.apache.syncope:syncope-core
發布日:2018/11/6修改日:2024/3/4
描述
An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11 and 2.0.x before 2.0.8 can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution.
受影響套件(1)
- Maven/org.apache.syncope:syncope-corefrom 0, < 1.2.11
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
參考連結(7)
- ADVISORYhttps://github.com/advisories/GHSA-xgc9-9w4v-h33h
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-1321
- WEBhttps://github.com/apache/syncope/commit/726231fbf7b817bd2a9467171dcb1c0087c75bc
- WEBhttps://github.com/apache/syncope/commit/ad31479c1c543ac7d26b8c882aa14f6c00c1fd0
- WEBhttps://www.exploit-db.com/exploits/45400
- WEBhttp://syncope.apache.org/security.html#CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements
- WEBhttp://www.securityfocus.com/bid/103508