CVE-2018-17184 — MEDIUM (5.4)

Q: How severe is CVE-2018-17184?

CVE-2018-17184 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-17184?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Syncope.

Vulnerability Description

A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.

CVSS Score

5.4

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Syncope	>= 2.0.0, < 2.0.11

Related Weaknesses (CWE)

CWE-79

References

https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSSVendor Advisory
https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSSVendor Advisory

FAQ

What is CVE-2018-17184?

CVE-2018-17184 is a vulnerability with a CVSS score of 5.4 (MEDIUM). A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. W...

How severe is CVE-2018-17184?

CVE-2018-17184 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-17184?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Syncope.