CVE-2020-1961

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-1961

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-1961.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-1961

Aliases

GHSA-4w4p-xwrr-9crh

Published

2020-05-04T13:15:14.033Z

Modified

2026-02-03T07:09:23.108120Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered.

References

http://syncope.apache.org/security

Affected packages

Git / github.com/apache/syncope

Affected ranges

Type: GIT
Repo: https://github.com/apache/syncope
Events: Introduced

49c2e53ba6baf1423a89b5ab9a24aa665a5780ad

Fixed

a1200e18daccb3deebcdaaf91c965596df10cab7

Introduced

973afc777d2f8093785875c62e808d97334fb2e3

Fixed

ed7a41d182bd30cc9881e1a39da2d7a1658a6067

Affected versions

syncope-2.*

syncope-2.0.0

syncope-2.0.1

syncope-2.0.10

syncope-2.0.11

syncope-2.0.12

syncope-2.0.13

syncope-2.0.14

syncope-2.0.2

syncope-2.0.3

syncope-2.0.4

syncope-2.0.5

syncope-2.0.6

syncope-2.0.7

syncope-2.0.8

syncope-2.0.9

syncope-2.1.0

syncope-2.1.1

syncope-2.1.2

syncope-2.1.3

syncope-2.1.4

syncope-2.1.5

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-1961.json"