threat
engine
.sh
Back
·
··:··
Home
/
Product
/
apache syncope
Product
apache syncope
16 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-23795
>= 3.0.0 and < 3.0.16
Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate enti
4.9
MEDIUM
CVE-2026-23794
>= 3.0.0 and < 3.0.16
Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and
6.8
MEDIUM
CVE-2025-65998
>= 2.1.0 and <= 2.1.14
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is no
7.5
HIGH
CVE-2025-57738
>= 2.1.0 and < 3.0.14
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implem
7.2
HIGH
CVE-2024-45031
>= 2.1.0 and < 3.0.9
When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible
6.1
MEDIUM
CVE-2024-38503
>= 2.1.0 and <= 2.1.14
When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to pote
5.4
MEDIUM
CVE-2020-11977
>= 2.1.0 and < 2.1.7
In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlemen
7.2
HIGH
CVE-2020-1961
>= 2.0.0 and < 2.0.15
Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X release
9.8
CRITICAL
CVE-2020-1959
>= 2.1.0 and < 2.1.6
A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL ex
9.8
CRITICAL
CVE-2019-17557
>= 2.0.0 and < 2.0.15
It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By thi
5.4
MEDIUM
CVE-2018-17186
>= 2.0.0 and <= 2.0.11
An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to f
7.2
HIGH
CVE-2018-17184
>= 2.0.0 and < 2.0.11
A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Conne
5.4
MEDIUM
CVE-2018-1322
>= 1.2.0 and < 1.2.11
An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases
4.9
MEDIUM
CVE-2018-1321
>= 1.2.0 and < 1.2.11
An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported
7.2
HIGH
CVE-2014-3503
all versions
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to gue
CVE-2014-0111
>= 1.0.0 and < 1.0.9
Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors r
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin