Security Advisory WSO2-2017-0198¶
Published: September 04, 2017
Severity: Medium
CVSS Score: 4.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)
AFFECTED PRODUCTS¶
- WSO2 Identity Server 5.3.0
OVERVIEW¶
A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in Workflow Engine Profile.
DESCRIPTION¶
In several versions of the WSO2 Workflow Engine Profile, an XSS vulnerability has been discovered which affects all versions above 5.0.7 of the Identity Workflow implementation.
The older versions of WSO2 Identity which are not listed in this advisory are not vulnerable to this attack.
IMPACT¶
An attacker aware of the management console origin can include malicious content in a request and trick a user to click the malicious content via email or a neutral website. This reflects the attack back to the user’s browser and will execute the injected code, which may generate malicious page results that will mislead the victim or harm otherwise.
SOLUTION¶
Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.
| Code | Product | Version | Patch |
|---|---|---|---|
| IS | WSO2 Identity Server | 5.3.0 | WSO2-CARBON-PATCH-4.4.0-0991 |
Info
If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.