CVE-2024-45031
Description
When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application.XSS payloads could also be injected in Syncope Enduser when editing Personal Information or User Requests: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking.Users are recommended to upgrade to version 3.0.9, which fixes this issue.
Risk Information
Base Score
6.1
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
Exploitation Probability
2.532
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2024-45031 are affected in Apache - syncope-client-console 2.1.14 | Windows |
| Vulnerabilities CVE-2024-45031 are affected in Apache - syncope-client-console for Linux 2.1.14 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234