CVE-2024-38503

CVE-2024-38503: Apache Syncope: HTML tags can be injected into Console or Enduser text fields

Vendor Apache Software Foundation

Product Apache Syncope

Weakness CWE-79 · XSS

Published July 22, 2024

Last update December 6, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”. Users are recommended to upgrade to version 3.0.8, which fixes this issue.

Key dates

Disclosure timeline

July 22, 2024 CVE published

December 6, 2024 Record updated

Identifiers

CVE CVE-2024-38503

CWE CWE-79

Affected versions

Vendor Apache Software Foundation

Product Apache Syncope

Affected ≥ 2.1 and ≤ 2.1.14

Vendor Apache Software Foundation

Product Apache Syncope

Affected ≥ 3.0 and ≤ 3.0.7