Security Advisory WSO2-2016-0138
- Former user (Deleted)
Published: 30th September 2016
AFFECTED PRODUCTS
WSO2 API Manager 2.0.0
WSO2 Application Server 5.3.0
WSO2 Business Rules Server 2.2.0
WSO2 Data Services Server 3.5.0
WSO2 Message Broker 3.1.0
OVERVIEW
Message Flows UI of above WSO2 products is vulnerable to reflected XSS attacks.
DESCRIPTION
Two XSS vulnerabilities were discovered in the Message Flows component. An attacker can possibly attack the management console, via that component, using reflected XSS. He can inject malicious scripts as a part of the URL which will be reflected in that component’s pages.
IMPACT
An attacker aware of the management console origin can include malicious content in a request to Message Flows page and trick a user to click the malicious content via email or a neutral web site. This reflects the attack back to the user’s browser and will execute the injected code, which may generate malicious page results that will mislead the victim or harm otherwise.
SOLUTION
Apply the following patches based on your product versions by following the instructions in the README file. Patches can also be downloaded from http://wso2.com/security-patch-releases/.
If you have any questions, please post them to security@wso2.com.
Please download the relevant patches based on the products you use following the matrix below.
| Code | Product | Version | Patch |
|---|---|---|---|
| AM | WSO2 API Manager | 2.0.0 | WSO2-CARBON-PATCH-4.4.0-0420 |
| AS | WSO2 Application Server | 5.3.0 | WSO2-CARBON-PATCH-4.4.0-0382 |
| BRS | WSO2 Business Rules Server | 2.2.0 | WSO2-CARBON-PATCH-4.4.0-0386 |
| DSS | WSO2 Data Services Server | 3.5.0 | WSO2-CARBON-PATCH-4.4.0-0385 |
| MB | WSO2 Message Broker | 3.1.0 | WSO2-CARBON-PATCH-4.4.0-0386 |