A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.
References
Link | Resource |
---|---|
https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2018-11-06T00:00:00
Updated: 2018-11-06T18:57:01
Reserved: 2018-09-19T00:00:00
Link: CVE-2018-17184
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-11-06T19:29:00.433
Modified: 2018-12-13T14:53:20.837
Link: CVE-2018-17184
JSON object: View
Redhat Information
No data.
CWE