An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution.
References
Link | Resource |
---|---|
http://syncope.apache.org/security.html#CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements | Mitigation Vendor Advisory |
http://www.securityfocus.com/bid/103508 | Third Party Advisory VDB Entry |
https://www.exploit-db.com/exploits/45400/ | Third Party Advisory VDB Entry |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2018-03-21T00:00:00
Updated: 2018-09-15T09:57:01
Reserved: 2017-12-07T00:00:00
Link: CVE-2018-1321
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-03-20T17:29:00.267
Modified: 2019-04-25T18:07:30.400
Link: CVE-2018-1321
JSON object: View
Redhat Information
No data.
CWE