It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.
[
{
"product": "Apache Syncope",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6"
}
]
}
]