CVE-2018-17184

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Apache Syncope up to versions 2.0.10 and 2.1.0–2.1.1 [3]. A malicious user with sufficient administration entitlements can inject arbitrary HTML-like elements containing JavaScript into Connector names, Report names, AnyTypeClass keys, and Policy descriptions [2]. When another administrator later edits any of these entities via the Admin Console, the injected JavaScript executes [2].

Exploitation

The attacker must have administration entitlements to create or modify the affected entities [2]. The attack does not require any special network position beyond access to the Syncope Admin Console as an authenticated admin. The attacker crafts a payload (e.g., ``) and saves it into one of the vulnerable fields. When a second administrator subsequently edits that entity via the Admin Console, the payload executes in the context of that administrator's browser session [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the Admin Console of another administrator [2]. This can lead to theft of session cookies, modification of application data, or additional actions performed with the victim's privileges. The attack does not directly escalate privileges but operates within the security context of the targeted admin [2].

Mitigation

Apache Syncope has released fixed versions: upgrade to 2.0.11 or 2.1.2 (or later) to remediate the vulnerability [1][3]. These versions are available from the official Apache Syncope download page [1]. No workaround is documented; upgrading is the recommended course of action [1][3].