oss-sec mailing list archives
[CVE-2020-1961] Apache Syncope: Server-Side Template Injection on mail templates
From: Francesco Chicchiriccò <ilgrosso () apache org>
Date: Sat, 2 May 2020 14:32:34 +0200
Description: Vulnerability to Server-Side Template Injection on Mail templates enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered. Severity: Important Vendor: The Apache Software Foundation Affects: 2.0.X releases prior to 2.0.15 2.1.X releases prior to 2.1.6 Solution: 2.0.X users: upgrade to 2.0.15 2.1.X users: upgrade to 2.1.6 Credit: This issue was discovered by GitHub Security Labs team member Alvaro Muñoz - https://github.com/pwntester. References: https://syncope.apache.org/security
Current thread:
- [CVE-2020-1961] Apache Syncope: Server-Side Template Injection on mail templates Francesco Chicchiriccò (May 02)