Description
An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution.
Remediation
References
http://syncope.apache.org/security.html#CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements
http://www.securityfocus.com/bid/103508
https://www.exploit-db.com/exploits/45400/
Related Vulnerabilities
CVE-2023-49397 Vulnerability in maven package com.jfinal:jfinal
CVE-2023-5654 Vulnerability in npm package react-devtools-core
CVE-2023-26048 Vulnerability in maven package org.eclipse.jetty:jetty-server
CVE-2020-11972 Vulnerability in maven package org.apache.camel:camel-rabbitmq
CVE-2022-44730 Vulnerability in maven package org.apache.xmlgraphics:batik-script