7.2

CVE-2018-1321

An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheSyncope Version >= 1.2.0 < 1.2.11
ApacheSyncope Version >= 2.0.0 < 2.0.8
ApacheSyncope Version1.0.0
ApacheSyncope Version1.0.4
ApacheSyncope Version1.0.5
ApacheSyncope Version1.0.6
ApacheSyncope Version1.0.7
ApacheSyncope Version1.0.8
ApacheSyncope Version1.0.9
ApacheSyncope Version1.1.0
ApacheSyncope Version1.1.1
ApacheSyncope Version1.1.2
ApacheSyncope Version1.1.3
ApacheSyncope Version1.1.4
ApacheSyncope Version1.1.5
ApacheSyncope Version1.1.6
ApacheSyncope Version1.1.7
ApacheSyncope Version1.1.8
ApacheSyncope Version1.2.0 Updatemilestone1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.81% 0.89
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.2 1.2 5.9
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.securityfocus.com/bid/103508
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/45400/
Third Party Advisory
VDB Entry