CVE-2018-17184

EPSS 1%
Veröffentlicht 06.11.2018 19:29:00
Zuletzt bearbeitet 21.11.2024 03:54:02
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Syncope Version >= 2.0.0 < 2.0.11

Apache ≫ Syncope Version >= 2.1.0 < 2.1.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1%	0.75

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-17184

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-17184

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-17184

EUVD