org.apache.syncope:syncope-core (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.apache.syncope:syncope-core, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (7)
CVE-2020-1959 — CVSS 9.8 (critical): A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL…
CVE-2020-1961 — CVSS 9.8 (critical): Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior…
CVE-2025-65998 — CVSS 7.5 (high): Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the…
CVE-2018-17186 — CVSS 7.2 (high): An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read…
CVE-2018-1321 — CVSS 7.2 (high): An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases…
CVE-2018-17184 — CVSS 5.4 (medium): A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector…
CVE-2018-1322 — CVSS 4.9 (medium): An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x…