skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
May 11, 2020

GHSL-2020-054: XSS in Apache Syncope - CVE-2020-1961

Alvaro Munoz


An XSS issue in the EndUser login page was identified in Apache Syncope, combined with GHSL-2020-029 or GHSL-2020-055 this XSS may be escalated into RCE.


Apache Syncope

Tested Version



Cross-Site Scripting on EndUser login page (GHSL-2020-054, CVE-2020-17557)

The EndUser login page reflects the successMessage parameters with some sanitization (app.js):<[^>]+>/gm, ''), "success");

However, this sanitization only accounts for closed tags. Unfortunately, most modern browsers will automatically close unclosed tags, thus enabling a bypass.


Even though the XSS issue is on the login page, it will also trigger if the victim is already logged-in when clicking the malicious link. This is important because if different apps (enduser and core) have the same same origin (scheme+host+port), an attacker may use this XSS to attack a Syncope administrator and send arbitrary requests to the REST API. When mixed with GHSL-2020-029 or GHSL-2020-055, this would allow an attacker to escalate this XSS into RCE.


Rather than trying to sanitize the user input, escape the successMessage parameter for HTML context.

This issue was addressed in the following commit


Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.



This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).


You can contact the GHSL team at, please include the GHSL-2020-054 in any communication regarding this issue.