Description
An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution.
Remediation
References
http://syncope.apache.org/security.html#CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements
http://www.securityfocus.com/bid/103508
https://www.exploit-db.com/exploits/45400/
Related Vulnerabilities
CVE-2023-6291 Vulnerability in maven package org.keycloak:keycloak-services
CVE-2021-21694 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2022-25873 Vulnerability in maven package org.webjars.bowergithub.vuetifyjs:vuetify
CVE-2023-29471 Vulnerability in maven package com.typesafe.akka:akka-stream-kafka_2.13
CVE-2022-23082 Vulnerability in maven package io.whitesource:curekit