An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution.
References
Link | Resource |
---|---|
http://syncope.apache.org/security.html#CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements | Mitigation Vendor Advisory |
http://www.securityfocus.com/bid/103508 | Third Party Advisory VDB Entry |
https://www.exploit-db.com/exploits/45400/ | Third Party Advisory VDB Entry |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2018-03-20 17:29
Updated : 2024-02-28 16:25
NVD link : CVE-2018-1321
Mitre link : CVE-2018-1321
CVE.ORG link : CVE-2018-1321
JSON object : View
Products Affected
apache
- syncope
CWE
CWE-20
Improper Input Validation