Security Advisory WSO2-2017-0254

Published: 4th September 2017

Severity: Low

CVSS Score: 2.4 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N)

AFFECTED PRODUCTS

WSO2 API Manager 2.1.0

WSO2 API Manager Analytics 2.1.0

WSO2 App Manager 1.2.0

WSO2 Application Server 5.3.0

WSO2 Business Process Server 3.6.0

WSO2 Business Rules Server 2.2.0

WSO2 Complex Event Processor 4.2.0

WSO2 Dashboard Server 2.0.0

WSO2 Data Analytics Server  3.1.0

WSO2 Data Services Server 3.5.1

WSO2 Enterprise Mobility Manager 2.2.0

WSO2 Governance Registry 5.4.0

WSO2 Identity Server 5.3.0

WSO2 Identity Server Analytics 5.3.0

WSO2 Identity Server as Key Manager 5.3.0

WSO2 IoT Server 3.0.0

WSO2 Machine Learner 1.2.0               

WSO2 Storage Server 1.5.0

OVERVIEW

A potential Reflected Cross Site Scripting (XSS) vulnerability has been identified in the Management Console.

DESCRIPTION

In Carbon Tenant Management UI,  the identified XSS attack can be performed when a user injects a malicious executable script as a user input through carbon management console.

This issue has been fixed in affected component versions with security patch/update given for specific products.

IMPACT 

An attacker aware of the management console origin can include malicious content in a request and trick a user to click the malicious content via email or a neutral web site. This reflects the attack back to the user’s browser and will execute the injected code, which may generate malicious page results that will mislead the victim or harm otherwise.

SOLUTION

Apply the following patches based on your product version by following the instructions in the README file. If you have any questions, post them to security@wso2.com.

Please download the relevant patches based on the products you use following the matrix below. Patches can also be downloaded from http://wso2.com/security-patch-releases/.

NOTES

If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed.