CVE-2024-38503: Apache Syncope: HTML tags can be injected into Console or Enduser text fields

Description

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits.
The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”.

Users are recommended to upgrade to version 3.0.8, which fixes this issue.

Classification

CVE ID: CVE-2024-38503

Affected Products

Vendor: Apache Software Foundation

Product: Apache Syncope

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 29.13% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://syncope.apache.org/security#cve-2024-38503-html-tags-can-be-injected-into-console-or-enduser
https://www.openwall.com/lists/oss-security/2024/07/22/3

Timeline

2024-12-07 00:31:12 UTC
CVE

Apache Syncope: HTML tags can be injected into Console or Enduser text fields