Medium
CVSS: 4.9
Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console.
An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE…
Medium
CVSS: 6.8
Reflected XSS in Apache Syncope's Enduser Login page.
An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials.
This issue affects Apache Syncope: from 3…
High
CVSS: 7.5
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.
When AES is configured, the default key value, hard-coded in the source code, is always…
High
CVSS: 7.2
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, wit…