/
Security Advisory WSO2-2017-0188
com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links' is unknown.

Security Advisory WSO2-2017-0188

Aug 02, 2017

Published: 6th March 2017

 

AFFECTED PRODUCTS

 

WSO2 Application Server 5.3.0

WSO2 Business Process Server 3.6.0

WSO2 Business Rules Server 2.2.0

WSO2 Complex Event Processor 4.2.0

WSO2 Data Analytics Server 3.1.0

WSO2 Data Services Server 3.5.1

WSO2 Enterprise Service Bus 5.0.0

 

OVERVIEW

 

The WSO2 Carbon New Data Sources UI component of above listed products has been identified to have a potential XSS vulnerability where a user can inject an executable script as user input.

 

DESCRIPTION

 

In Carbon New Data Sources UI component, reflected XSS attack vulnerability is detected when a user injects a malicious executable script as user input using carbon management console.

This issue has been fixed in affected component with security patches given for specific products.

 

 IMPACT

 

An attacker can include malicious content in a request to Carbon New Data Sources UI page of management console, and trick a user to click the malicious content via email or a neutral web site. This reflects the attack back to the user’s browser and will execute the injected code, which may generate malicious page results that will mislead the victim or harm otherwise.

 

SOLUTION

 

The recommended solution is to apply relevant security patches which fix the XSS vulnerability identified in the specific components used in products. Please see below for details on patching or updating the affected component.

 

For WSO2 Update Manager (WUM) Supported Products

Please use WUM to update the following products.

 

Code

Product

Version

CEP

WSO2 Complex Event Processor

4.2.0

DSS

WSO2 Data Services Server

3.5.1

ESB

WSO2 Enterprise Service Bus

5.0.0

 

For Other Products

Apply the following patches based on your product version by following the instructions in the README file. If you have any questions, post them to security@wso2.com.

Please download the relevant patches based on the products you use following the matrix below. Patches can also be downloaded from http://wso2.com/security-patch-releases/.

 

Code

Product

Version

Patch

AS

WSO2 Application Server

5.3.0

WSO2-CARBON-PATCH-4.4.0-0719

BPS

WSO2 Business Process Server

3.6.0

WSO2-CARBON-PATCH-4.4.0-0630

BRS

WSO2 Business Rules Server

2.2.0

WSO2-CARBON-PATCH-4.4.0-0716

CEP

WSO2 Complex Event Processor

4.2.0

WSO2-CARBON-PATCH-4.4.0-0630

DAS

WSO2 Data Analytics Server

3.1.0

WSO2-CARBON-PATCH-4.4.0-0630

DSS

WSO2 Data Services Server

3.5.1

WSO2-CARBON-PATCH-4.4.0-0630

ESB

WSO2 Enterprise Service Bus

5.0.0

WSO2-CARBON-PATCH-4.4.0-0630

 

NOTES

 

If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed. 

 

CREDITS

 

WSO2 thanks, Marcin Woloszyn for responsibly reporting the identified issues and working with us as we addressed them.

 

 

com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links2' is unknown.