This is an automated email from the ASF dual-hosted git repository. ilgrosso pushed a commit to branch 3_0_X in repository https://gitbox.apache.org/repos/asf/syncope.git
commit 774325cb6d6d6c9ac60e2f6e8a2e9f701006ac25 Author: Francesco Chicchiriccò <[email protected]> AuthorDate: Mon Jul 22 11:46:17 2024 +0200 Site update --- src/site/xdoc/integration.xml | 2 +- src/site/xdoc/release-process.xml | 2 +- src/site/xdoc/security.xml | 40 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+), 2 deletions(-) diff --git a/src/site/xdoc/integration.xml b/src/site/xdoc/integration.xml index e0925ea0f7..0b7f7ee5b8 100644 --- a/src/site/xdoc/integration.xml +++ b/src/site/xdoc/integration.xml @@ -28,7 +28,7 @@ under the License. <body> <section name="Jenkins"> <p> - <source><a href="https://ci-builds.apache.org./job/Syncope/";>https://ci-builds.apache.org./job/Syncope/</a></source> + <source><a href="https://ci-builds.apache.org/job/Syncope/";>https://ci-builds.apache.org./job/Syncope/</a></source> </p> </section> diff --git a/src/site/xdoc/release-process.xml b/src/site/xdoc/release-process.xml index a175e3177f..8fdb047325 100644 --- a/src/site/xdoc/release-process.xml +++ b/src/site/xdoc/release-process.xml @@ -523,7 +523,7 @@ svn commit -m "Promoting the staging site"]]></source> </li> <li> Deploy the updated Docker images to <a href="https://hub.docker.com/";>DockerHub</a> by adjusting the GIT tag - name then running the <a href="https://ci-builds.apache.org./job/Syncope/job/Syncope-Release-Docker/";>dedicated Jenkins job</a>. + name then running the <a href="https://ci-builds.apache.org/job/Syncope/job/Syncope-Release-Docker/";>dedicated Jenkins job</a>. </li> </ol> </subsection> diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml index ecc9c77ab9..35837aff36 100644 --- a/src/site/xdoc/security.xml +++ b/src/site/xdoc/security.xml @@ -36,6 +36,46 @@ under the License. <p>If you want to report a vulnerability, please follow <a href="https://www.apache.org/security/";>the procedure</a>.</p> + <subsection name="CVE-2024-38503: HTML tags can be injected into Console or Enduser text fields"> + <p>When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. +The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”.</p> + + <p> + <b>Severity</b> + </p> + <p>Moderate</p> + + <p> + <b>Affects</b> + </p> + <p> + <ul> + <li>3.0 through 3.0.7</li> + <li>2.1 through 2.1.14</li> + </ul> + </p> + + <p> + <b>Solution</b> + </p> + <p> + <ul> + <li>Users are recommended to upgrade to version 3.0.8, which fixes this issue.</li> + </ul> + </p> + + <p> + <b>Fixed in</b> + </p> + <p> + <ul> + <li>Release 3.0.8</li> + </ul> + </p> + + <p>Read the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38503";>full CVE advisory</a>.</p> + </subsection> + <subsection name="CVE-2020-11977: Remote Code Execution via Flowable workflow definition"> <p>When the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.</p>
