You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@syncope.apache.org by Francesco Chicchiriccò <il...@apache.org> on 2020/05/02 12:26:23 UTC

[CVE-2019-17557] Enduser UI XSS

Description:
It was found that the EndUser UI login page reflects the successMessage parameters.
By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.

Severity: Medium

Vendor: The Apache Software Foundation

Affects:
2.0.X releases prior to 2.0.15
2.1.X releases prior to 2.1.6

Solution:
2.0.X users: upgrade to 2.0.15
2.1.X users: upgrade to 2.1.6

Credit:
This issue was independently discovered by CNCERT songmingxuan and GitHub Security Lab team member Alvaro Muñoz - https://github.com/pwntester

References:
https://syncope.apache.org/security