CVE-2020-1961
moderate-risk
Published 2020-05-04
Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered.
Do I need to act?
~
7.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: ed7a41d182bd30cc9881e1a39da2d7a1658a6067, a1200e18daccb3deebcdaaf91c965596df10cab7
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Syncope
Affected Vendors
References (2)
Vendor Advisory
http://syncope.apache.org/security
Vendor Advisory
http://syncope.apache.org/security
46
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
9/34 · Low
Exposure
5/34 · Minimal