Vulnerability Description
An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Syncope | >= 1.2.0, < 1.2.11 |
Related Weaknesses (CWE)
References
- http://syncope.apache.org/security.html#CVE-2018-1321:_Remote_code_execution_by_MitigationVendor Advisory
- http://www.securityfocus.com/bid/103508Third Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/45400/Third Party AdvisoryVDB Entry
- http://syncope.apache.org/security.html#CVE-2018-1321:_Remote_code_execution_by_MitigationVendor Advisory
- http://www.securityfocus.com/bid/103508Third Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/45400/Third Party AdvisoryVDB Entry
FAQ
What is CVE-2018-1321?
CVE-2018-1321 is a vulnerability with a CVSS score of 7.2 (HIGH). An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Trans...
How severe is CVE-2018-1321?
CVE-2018-1321 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1321?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Syncope.