

Security Advisory WSO2-2017-0190

Published: March 06, 2017

---

AFFECTED PRODUCTS

• WSO2 Complex Event Processor 4.2.0
• WSO2 Data Analytics Server 3.1.0
• WSO2 Enterprise Service Bus Analytics 5.0.0

OVERVIEW

A potential Reflected XSS vulnerability exists in the Event Simulator, Event Tracer and Template Manager components of the above-listed products.

DESCRIPTION

In several versions of Event Simulator, Event Tracer and Template manager components, potential reflected Cross-Site-Scripting vulnerability has been discovered.

IMPACT

An attacker aware of the management console origin can include malicious content in a request and trick a user to click the malicious content via email or a neutral website. This reflects the attack back to the user’s browser and will execute the injected code, which may generate malicious page results that will mislead the victim or harm otherwise.

SOLUTION

The recommended solution is to apply provided patches or updates for affected components. Please refer below details on patching or updating the affected component.

For WSO2 Update Manager (WUM) Supported Products

Use WUM to update the following products.

Code	Product	Version	Patch
CEP	WSO2 Complex Event Processor	4.2.0
ESB	WSO2 Enterprise Service Bus	5.0.0

For Other Products

Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.

Code	Product	Version	Patch
CEP	WSO2 Complex Event Processor	4.2.0	WSO2-CARBON-PATCH-4.4.0-0745
DAS	WSO2 Data Analytics Server	3.1.0	WSO2-CARBON-PATCH-4.4.0-0745
ESB Analytics	WSO2 Enterprise Service Bus Analytics	5.0.0	WSO2-CARBON-PATCH-4.4.0-0614

Info

If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.

CREDITS

WSO2 thanks, Marcin Woloszyn for responsibly reporting the identified issues and working with us as we addressed them.