Description
An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters.
Remediation
References
http://syncope.apache.org/security.html#CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting
http://www.securityfocus.com/bid/103507
https://www.exploit-db.com/exploits/45400/
Related Vulnerabilities
CVE-2016-6651 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-common
CVE-2021-32050 Vulnerability in npm package mongodb
CVE-2016-4003 Vulnerability in maven package org.apache.struts:struts2-core
CVE-2021-4178 Vulnerability in maven package io.fabric8:kubernetes-client