Security Advisory WSO2-2016-0138

Published: September 30, 2016


  • WSO2 API Manager 2.0.0
  • WSO2 Application Server 5.3.0
  • WSO2 Business Rules Server 2.2.0
  • WSO2 Data Services Server 3.5.0
  • WSO2 Message Broker 3.1.0


Message Flows UI of the above WSO2 products is vulnerable to reflected XSS attacks.


Two XSS vulnerabilities were discovered in the Message Flows component. An attacker can possibly attack the management console, via that component, using reflected XSS. He can inject malicious scripts as a part of the URL which will be reflected in that component’s pages.


An attacker aware of the management console origin can include malicious content in a request to Message Flows page and trick a user to click the malicious content via email or a neutral website. This reflects the attack back to the user’s browser and will execute the injected code, which may generate malicious page results that will mislead the victim or harm otherwise.


Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to

Code Product Version Patch
AM WSO2 API Manager 2.0.0 WSO2-CARBON-PATCH-4.4.0-0420
AS WSO2 Application Server 5.3.0 WSO2-CARBON-PATCH-4.4.0-0382
BRS WSO2 Business Rules Server 2.2.0 WSO2-CARBON-PATCH-4.4.0-0386
DSS WSO2 Data Services Server 3.5.0 WSO2-CARBON-PATCH-4.4.0-0385
MB WSO2 Message Broker 3.1.0 WSO2-CARBON-PATCH-4.4.0-0386


If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.