Maven package
org.apache.syncope/syncope-core
pkg:maven/org.apache.syncope/syncope-core
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-65998 | — | >= 4.0.0, < 4.0.3 | 4.0.3 | Nov 24, 2025 | Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, | ||
| CVE-2020-1961 | — | >= 2.0.0, < 2.0.15 | 2.0.15 | May 4, 2020 | Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered. | ||
| CVE-2020-1959 | — | < 2.1.6 | 2.1.6 | May 4, 2020 | A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constrai | ||
| CVE-2018-17186 | — | < 2.0.11 | 2.0.11 | Nov 6, 2018 | An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution. | ||
| CVE-2018-17184 | — | < 2.0.11 | 2.0.11 | Nov 6, 2018 | A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entiti | ||
| CVE-2018-1322 | — | < 1.2.11 | 1.2.11 | Mar 20, 2018 | An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters. | ||
| CVE-2018-1321 | — | < 1.2.11 | 1.2.11 | Mar 20, 2018 | An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to |
- CVE-2025-65998Nov 24, 2025affected >= 4.0.0, < 4.0.3fixed 4.0.3
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker,
- CVE-2020-1961May 4, 2020affected >= 2.0.0, < 2.0.15fixed 2.0.15
Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered.
- CVE-2020-1959May 4, 2020affected < 2.1.6fixed 2.1.6
A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constrai
- CVE-2018-17186Nov 6, 2018affected < 2.0.11fixed 2.0.11
An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.
- CVE-2018-17184Nov 6, 2018affected < 2.0.11fixed 2.0.11
A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entiti
- CVE-2018-1322Mar 20, 2018affected < 1.2.11fixed 1.2.11
An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters.
- CVE-2018-1321Mar 20, 2018affected < 1.2.11fixed 1.2.11
An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to