Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN103
_____________________________________________________________________

DATE                : 02/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Syncope versions prior
                                   to 3.0.16, 4.0.4.

=====================================================================
https://lists.apache.org/thread/sf1z0ty674cjz86njqfc73t4vvf62b02
https://lists.apache.org/thread/17j7lpct2mqpsr3q2s3c1qo9rx26w52l
_____________________________________________________________________

CVE-2026-23795: Apache Syncope: Console XXE on Keymaster parameters
Severity: moderate 

Affected versions:

- Apache Syncope (org.apache.syncope.client.idrepo:syncope-client-idrepo-console) 3.0 through 3.0.15
- Apache Syncope (org.apache.syncope.client.idrepo:syncope-client-idrepo-console) 4.0 through 4.0.3

Description:

Improper Restriction of XML External Entity Reference vulnerability
in Apache Syncope Console.
An administrator with adequate entitlements to create or edit
Keymaster parameters via Console can construct malicious XML text to
launch an XXE attack, thereby causing sensitive data leakage occurs.

This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0
through 4.0.3.

Users are recommended to upgrade to version 3.0.16 / 4.0.4, which
fix this issue.

Credit:

follycat (finder)
Y0n3er (finder)

References:

https://syncope.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-23795


_____________________________________________________________________

CVE-2026-23794: Apache Syncope: Reflected XSS on Enduser Login
Severity: important 

Affected versions:

- Apache Syncope (org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui) 3.0 through 3.0.15
- Apache Syncope (org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui) 4.0 through 4.0.3

Description:

Reflected XSS in Apache Syncope's Enduser Login page.
An attacker that tricks a legitimate user into clicking a malicious
link and logging in to Syncope Enduser could steal that user's
credentials.

This issue affects Apache Syncope: from 3.0 through 3.0.15, from
4.0 through 4.0.3.

Users are recommended to upgrade to version 3.0.16 / 4.0.4, which
fix this issue.


Credit:

Kasper Karlsson (finder)
Karin Taliga (finder)


References:

https://syncope.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-23794


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================