Description
An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution.
Remediation
References
http://syncope.apache.org/security.html#CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements
http://www.securityfocus.com/bid/103508
https://www.exploit-db.com/exploits/45400/
Related Vulnerabilities
CVE-2021-25931 Vulnerability in maven package org.opennms:opennms-webapp
CVE-2023-3431 Vulnerability in maven package net.sourceforge.plantuml:plantuml
CVE-2017-8039 Vulnerability in maven package org.springframework.webflow:spring-webflow
CVE-2023-23623 Vulnerability in npm package electron
CVE-2023-25766 Vulnerability in maven package org.jenkins-ci.plugins:azure-credentials