Security Advisory WSO2-2019-0432

Published: 02nd December 2019

Severity: Medium

CVSS Score: 5.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L)

AFFECTED PRODUCTS

WSO2 API Manager

WSO2 API Manager Analytics

WSO2 Enterprise Integrator

WSO2 IS as Key Manager

WSO2 Identity Server

WSO2 Identity Server Analytics

OVERVIEW

A potential Cross-site Scripting (XSS) vulnerability has been identified in the management console.

DESCRIPTION

This vulnerability can be exploited when adding a user store for the description field in queues by injecting malicious script as the user input through the management console.

IMPACT

By leveraging an XSS attack, an attacker can make the browser get redirected to a malicious website, make changes in the UI of the web page, retrieve information from the browser or harm otherwise. However, since all the session related sensitive cookies are set with httpOnly flag and protected, session hijacking or similar attack would not be possible.

SOLUTION

Upgrade the affected products to the following versions or higher released version which is not affected by this vulnerability. If you have any questions, post them to security@wso2.com.

Code	Product	Safe version
AM	WSO2 API Manager	3.0.0
AM-Analytics	WSO2 API Manager Analytics	2.6.0
EI	WSO2 Enterprise Integrator	6.5.0
IS KM	WSO2 IS as Key Manager	5.9.0
IS	WSO2 Identity Server	5.8.0
IS-Analytics	WSO2 Identity Server Analytics	5.7.0

Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Update Manager (WUM) updates in order to apply the fix to the affected versions.

NOTES

If you are using newer versions of affected products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed.

It is highly recommended to migrate older versions of the WSO2 products to the latest released version to receive security fixes.

WSO2 Platform Security

Security Advisory WSO2-2019-0432

Related content