High severity vulnerability that affects org.apache.syncope:syncope-core
High severity
GitHub Reviewed
Published
Nov 6, 2018
to the GitHub Advisory Database
•
Updated Mar 4, 2024
Package
Affected versions
< 1.2.11
>= 2.0.0, < 2.0.8
Patched versions
1.2.11
2.0.8
Description
Published to the GitHub Advisory Database
Nov 6, 2018
Reviewed
Jun 16, 2020
Last updated
Mar 4, 2024
An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11 and 2.0.x before 2.0.8 can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution.
References