CVE-2020-7656¶
WSO2 Products impacted: no
Customer actions required: no
REPORTED VULNERABILITY¶
jQuery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove <script> HTML tags that contain a whitespace character, which results in the enclosed script logic to be executed 1.
REPORTED PRODUCTS¶
- WSO2 API Manager : 4.5.0
WSO2 JUSTIFICATION¶
jQuery is included only in Swagger UI–related static frontend assets bundled with OpenAPI Generator. These assets are not used, served, or executed by WSO2 API Manager at runtime. API-M uses OpenAPI Generator only for Java-based backend processing (e.g., client SDK generation) and does not execute any JavaScript code. Therefore, the reported jQuery vulnerabilities are not reachable or exploitable in the API-M runtime and do not pose a security risk.