CVE-2018-17184: XSS
First published: Tue Nov 06 2018(Updated: )
A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Syncope | >=2.0.0<2.0.11 | |
| Apache Syncope | >=2.1.0<2.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2018-17184?
CVE-2018-17184 is a vulnerability that allows a malicious user with enough administration entitlements to inject HTML-like elements containing JavaScript statements into certain fields in Apache Syncope.
How does CVE-2018-17184 work?
CVE-2018-17184 allows a malicious user to inject malicious JavaScript code into Connector names, Report names, AnyTypeClass keys, and Policy descriptions in Apache Syncope.
What is the severity of CVE-2018-17184?
CVE-2018-17184 has a severity value of 5.4, which is considered medium.
Which versions of Apache Syncope are affected by CVE-2018-17184?
CVE-2018-17184 affects Apache Syncope versions 2.0.0 to 2.0.11 and versions 2.1.0 to 2.1.2.
How can I fix CVE-2018-17184?
To fix CVE-2018-17184, it is recommended to upgrade to a version of Apache Syncope that is not affected by the vulnerability.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/author
- agent/references
- agent/severity
- agent/last-modified-date
- agent/description
- agent/event
- agent/tags
- agent/softwarecombine
- agent/first-publish-date
- vendor/apache
- canonical/apache syncope
- version/apache syncope/2.0.0
- version/apache syncope/2.1.0