Security Advisory WSO2-2016-0127

Published: September 30, 2016


  • WSO2 Dashboard Server 2.0.0
  • WSO2 Enterprise Mobility Manager 2.0.1


The login page of the authenticationendpoint web application of the above-mentioned WSO2 Servers is vulnerable to XSS attacks.


The login page hosted in the WSO2 server's authenticationendpoint web application is vulnerable to reflected XSS attacks, which enables attackers to inject client-side scripts into that page. The respective page used a weak output encoding mechanism which was not sufficient to escape malicious user inputs properly.


An attacker aware of the authentication endpoint origin can include malicious content in a request to login page and trick a user to click the malicious content via email or a neutral website. This reflects the attack on the user’s browser and will execute the injected code, which may generate malicious page results that will mislead the victim or harm otherwise.


Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to

Code Product Version Patch
DS WSO2 Dashboard Server 2.0.0 WSO2-CARBON-PATCH-4.4.0-0421
EMM WSO2 Enterprise Mobility Manager 2.0.1 WSO2-CARBON-PATCH-4.4.0-0421


If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.