Apache Syncope’s Enduser Login page contains a reflected cross‑site scripting flaw that allows an attacker to embed script code into the login form’s URL and cause it to execute in a victim’s browser. The flaw does not require authentication, but the attacker must convince a legitimate user to click a crafted link and perform a login action. The impact is that an attacker can steal the authenticated user’s session cookie or other credentials that the user enters during login, thereby compromising the user’s account and potentially the entire Syncope deployment. Based on the description, the attack vector is a social‑engineering approach where a user clicks a malicious URL that triggers the reflection. The CVSS score of 6.8 indicates moderate severity, but the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild today. The vulnerability is not yet listed in CISA’s Known Exploited Vulnerabilities catalog, reducing the immediacy of any large‑scale exploitation risk.

The affected products are Apache Syncope from the Apache Software Foundation. Versions 3.0 through 3.0.15 and 4.0 through 4.0.3 are vulnerable, while versions 3.0.16, 4.0.4 and later contain the fix.

The CVSS score of 6.8 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability requires a user to click a malicious URL, so it is a social‑engineering risk. Although it is not listed in CISA’s KEV catalog, the potential to steal credentials warrants timely patching.