Security Advisory WSO2-2017-0197
Published: 4th September 2017
Severity: Low
CVSS Score: 2.4 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N)
AFFECTED PRODUCTS
WSO2 Business Rules Server 2.2.0
WSO2 Dashboard Server 2.0.0
OVERVIEW
A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console.
DESCRIPTION
This vulnerability is discovered in the Add User Store page in the Management Console. However, exploiting the vulnerability remotely is not possible as the malicious script should be injected to a textbox after accessing the web page in the user's browser where the script would run as a result of a javascript event bound to the text box.
IMPACT
By leveraging an XSS attack, an attacker can make the browser get redirected to a malicious website, make changes in the UI of the web page, retrieve information from the browser or harm otherwise.
However, since all the session related sensitive cookies are set with httpOnly flag and protected, session hijacking or similar attack would not be possible.
SOLUTION
Apply the following patches based on your product version by following the instructions in the README file. If you have any questions, post them to security@wso2.com.
Please download the relevant patches based on the products you use following the matrix below. Patches can also be downloaded from http://wso2.com/security-patch-releases/.
Code | Product | Version | Patch |
BRS | WSO2 Business Rules Server | 2.2.0 | |
DS | WSO2 Dashboard Server | 2.0.0 |
NOTES
If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed.