(syncope) 02/03: Updating security page

Tue, 03 Feb 2026 01:43:56 -0800 

This is an automated email from the ASF dual-hosted git repository.

ilgrosso pushed a commit to branch 4_0_X
in repository https://gitbox.apache.org/repos/asf/syncope.git

commit 41f7a7c22da3b54aa5d51d3f37f96597079a94b3
Author: Francesco Chicchiriccò <[email protected]>
AuthorDate: Mon Feb 2 13:11:23 2026 +0100

    Updating security page
---
 .../client/console/SyncopeConsoleApplication.java  |  3 +-
 .../client/enduser/SyncopeWebApplication.java      |  3 +-
 src/site/xdoc/security.xml                         | 82 ++++++++++++++++++++++
 3 files changed, 84 insertions(+), 4 deletions(-)

diff --git 
a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleApplication.java
 
b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleApplication.java
index a92b9227f4..d58f35f5e8 100644
--- 
a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleApplication.java
+++ 
b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleApplication.java
@@ -89,8 +89,7 @@ public class SyncopeConsoleApplication extends 
SpringBootServletInitializer {
             final Cache<String, OffsetDateTime> loggedoutSessionIdCache,
             @Qualifier(SyncopeWebApplication.DESTROYED_SESSIONID_CACHE)
             final Cache<String, OffsetDateTime> destroyedSessionIdCache,
-            final DynamicMenuStringResourceLoader 
dynamicMenuStringResourceLoader
-    ) {
+            final DynamicMenuStringResourceLoader 
dynamicMenuStringResourceLoader) {
 
         return new SyncopeWebApplication(
                 props,
diff --git 
a/client/idrepo/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeWebApplication.java
 
b/client/idrepo/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeWebApplication.java
index 97dcf13ccb..9318e46496 100644
--- 
a/client/idrepo/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeWebApplication.java
+++ 
b/client/idrepo/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeWebApplication.java
@@ -101,8 +101,7 @@ public class SyncopeWebApplication extends 
WicketBootSecuredWebApplication imple
             final ClassPathScanImplementationLookup lookup,
             final ServiceOps serviceOps,
             final List<IResource> resources,
-            final DynamicMenuStringResourceLoader 
dynamicMenuStringResourceLoader
-    ) {
+            final DynamicMenuStringResourceLoader 
dynamicMenuStringResourceLoader) {
 
         this.resourceLoader = resourceLoader;
         this.props = props;
diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index 7968e95dea..54d278a5e5 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -36,6 +36,88 @@ under the License.
 
       <p>If you want to report a vulnerability, please follow <a 
href="https://www.apache.org/security/";>the procedure</a>.</p>
 
+      <subsection name="CVE-2026-23795: Apache Syncope: Console XXE on 
Keymaster parameters">
+        <p>Improper Restriction of XML External Entity Reference vulnerability 
in Apache Syncope Console.</p>
+        <p>An administrator with adequate entitlements to create or edit 
Keymaster parameters via Console can construct malicious XML text to launch an 
XXE attack, thereby causing sensitive data leakage occurs.</p>
+
+        <p>
+          <b>Severity</b>
+        </p>
+        <p>Important</p>
+
+        <p>
+          <b>Affects</b>
+        </p>
+        <p>
+          <ul>
+            <li>4.0 through 4.0.3</li>
+            <li>3.0 through 3.0.15</li>
+          </ul>
+        </p>
+
+        <p>
+          <b>Solution</b>
+        </p>
+        <p>
+          <ul>
+            <li>Users are recommended to upgrade to version 4.0.4 / 3.0.16 
which fix this issue.</li>
+          </ul>
+        </p>
+
+        <p>
+          <b>Fixed in</b>
+        </p>
+        <p>
+          <ul>
+            <li>Release 4.0.4</li>
+            <li>Release 3.0.16</li>
+          </ul>
+        </p>
+
+        <p>Read the <a 
href="https://www.cve.org/CVERecord?id=CVE-2026-23795";>full CVE 
advisory</a>.</p>
+      </subsection>
+
+      <subsection name="CVE-2026-23794: Apache Syncope: Reflected XSS on 
Enduser Login">
+        <p>Reflected XSS in Apache Syncope's Enduser Login page.</p>
+        <p>An attacker that tricks a legitimate user into clicking a malicious 
link and logging in to Syncope Enduser could steal that user's credentials.</p>
+
+        <p>
+          <b>Severity</b>
+        </p>
+        <p>Important</p>
+
+        <p>
+          <b>Affects</b>
+        </p>
+        <p>
+          <ul>
+            <li>4.0 through 4.0.3</li>
+            <li>3.0 through 3.0.15</li>
+          </ul>
+        </p>
+
+        <p>
+          <b>Solution</b>
+        </p>
+        <p>
+          <ul>
+            <li>Users are recommended to upgrade to version 4.0.4 / 3.0.16 
which fix this issue.</li>
+          </ul>
+        </p>
+
+        <p>
+          <b>Fixed in</b>
+        </p>
+        <p>
+          <ul>
+            <li>Release 4.0.4</li>
+            <li>Release 3.0.16</li>
+          </ul>
+        </p>
+
+        <p>Read the <a 
href="https://www.cve.org/CVERecord?id=CVE-2026-23794";>full CVE 
advisory</a>.</p>
+      </subsection>
+
       <subsection name="CVE-2025-65998: Apache Syncope: Default AES key used 
for internal password encryption">
         <p>Apache Syncope can be configured to store the user password values 
in the internal database with AES encryption, though this is not the default 
option.</p>

Reply via email to