← Back to CVEs
CVE-2020-1961
CRITICAL9.8
Description
Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published5/4/2020
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
apache:syncope
Weaknesses (CWE)
CWE-74
References
http://syncope.apache.org/security(security@apache.org)
http://syncope.apache.org/security(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.