Security Advisory WSO2-2016-0127¶
Published: September 30, 2016
AFFECTED PRODUCTS¶
- WSO2 Dashboard Server 2.0.0
- WSO2 Enterprise Mobility Manager 2.0.1
OVERVIEW¶
The login page of the authenticationendpoint web application of the above-mentioned WSO2 Servers is vulnerable to XSS attacks.
DESCRIPTION¶
The login page hosted in the WSO2 server's authenticationendpoint web application is vulnerable to reflected XSS attacks, which enables attackers to inject client-side scripts into that page. The respective page used a weak output encoding mechanism which was not sufficient to escape malicious user inputs properly.
IMPACT¶
An attacker aware of the authentication endpoint origin can include malicious content in a request to login page and trick a user to click the malicious content via email or a neutral website. This reflects the attack on the user’s browser and will execute the injected code, which may generate malicious page results that will mislead the victim or harm otherwise.
SOLUTION¶
Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.
| Code | Product | Version | Patch |
|---|---|---|---|
| DS | WSO2 Dashboard Server | 2.0.0 | WSO2-CARBON-PATCH-4.4.0-0421 |
| EMM | WSO2 Enterprise Mobility Manager | 2.0.1 | WSO2-CARBON-PATCH-4.4.0-0421 |
Info
If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.