CVE-2019-17557

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.apache.syncope.client/syncope-client-enduser

Identifiers

GHSA-6qj8-c27w-rp33, CVE-2019-17557

Package Slug

maven/org.apache.syncope.client/syncope-client-enduser

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.

Affected Versions

All versions before 2.0.15, all versions starting from 2.1.0 before 2.1.6

Solution

Upgrade to versions 2.0.15, 2.1.6 or above.

Last Modified

2022-01-11

source