You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@syncope.apache.org by Francesco Chicchiriccò <il...@apache.org> on 2020/05/02 12:31:54 UTC

[CVE-2020-1961] Server-Side Template Injection on mail templates

Description:
Vulnerability to Server-Side Template Injection on Mail templates enabling attackers to inject arbitrary JEXL expressions, leading to Remote
Code Execution (RCE) was discovered.

Severity: Important

Vendor: The Apache Software Foundation

Affects:
2.0.X releases prior to 2.0.15
2.1.X releases prior to 2.1.6

Solution:
2.0.X users: upgrade to 2.0.15
2.1.X users: upgrade to 2.1.6

Credit:
This issue was discovered by GitHub Security Labs team member Alvaro Muñoz - https://github.com/pwntester.

References:
https://syncope.apache.org/security