Home > Vulnerability Database > CVE-2018-1321

Mend.io Vulnerability Database

CVE-2018-1321

Good to know:

Date: March 20, 2018

An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution.

Language: Java

Severity Score

7.2

Related Resources (9)

Url: http://syncope.apache.org/security.html#CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements

Url: http://www.securityfocus.com/bid/103508

Url: https://github.com/apache/syncope/commit/726231fbf7b817bd2a9467171dcb1c0087c75bc

Url: https://github.com/advisories/GHSA-xgc9-9w4v-h33h

Url: https://github.com/apache/syncope/commit/ad31479c1c543ac7d26b8c882aa14f6c00c1fd0

Url: https://www.exploit-db.com/exploits/45400

Url: https://nvd.nist.gov/vuln/detail/CVE-2018-1321

Url: https://www.exploit-db.com/exploits/45400/

Url: https://www.mend.io/vulnerability-database/CVE-2018-1321

Severity Score

7.2

Weakness Type (CWE)

Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version 1.2.11

Learn More

CVSS v3.1

Base Score:	7.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	SINGLE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2018-1321

Good to know:

Date: March 20, 2018

Language: Java

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?