CVE-2020-1961
Injection in Apache Syncope
9.8
CRITICAL
CVSS 3.1
EPSS 7.1%
Description
Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered.
How to fix CVE-2020-1961
To remediate CVE-2020-1961, upgrade the affected package to a fixed version below.
- Maven/org.apache.syncope:syncope-core—upgrade to 2.0.15 or later
Is CVE-2020-1961 being exploited?
Moderate — EPSS is 7.1%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- >= 2.0.0, < 2.0.15
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |