CVE-2018-17184

MEDIUM5.4EPSS 1.0%

Improper Control of Interaction Frequency in Apache syncope-core

發布日:2018/11/6修改日:2023/11/8

描述

A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.

受影響套件(1)

Maven/org.apache.syncope:syncope-corefrom 0, < 2.0.11

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

參考連結(3)

ADVISORYhttps://github.com/advisories/GHSA-9h9c-f287-c6vp
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-17184
WEBhttps://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS