Description
An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters.
Remediation
References
http://syncope.apache.org/security.html#CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting
http://www.securityfocus.com/bid/103507
https://www.exploit-db.com/exploits/45400/
Related Vulnerabilities
CVE-2019-1003005 Vulnerability in maven package org.jenkins-ci.plugins:script-security
CVE-2015-7501 Vulnerability in maven package commons-collections:commons-collections
CVE-2022-34870 Vulnerability in maven package org.apache.geode:geode-pulse
CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-drill
CVE-2019-10080 Vulnerability in maven package org.apache.nifi:nifi-lookup-services-bundle