=====================================================================

                                CERT-Renater

                     Note d'Information No. 2024/VULN439
_____________________________________________________________________

DATE                : 24/10/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Syncope versions prior
                                       to 3.0.9.

=====================================================================
https://lists.apache.org/thread/1h1t7lxcz40o0qttlto2884l90nygr5r
_____________________________________________________________________

CVE-2024-45031: Apache Syncope: Stored XSS in Console and Enduser
Severity: moderate

Affected versions:

- Apache Syncope 2.1 through 2.1.14
- Apache Syncope 3.0 through 3.0.8


Description:

When editing objects in the Syncope Console, incomplete HTML tags
could be used to bypass HTML sanitization. This made it possible to
inject stored XSS payloads which would trigger for other users
during ordinary usage of the application.
XSS payloads could also be injected in Syncope Enduser when editing
“Personal Information” or “User Requests”: such payloads would
trigger for administrators in Syncope Console, thus enabling
session hijacking.

Users are recommended to upgrade to version 3.0.9, which fixes this
issue.


Credit:

Kasper Karlsson, Omegapoint (finder)
Pontus Hanssen, Omegapoint (finder)


References:

https://syncope.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-45031




=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================