Security Advisory WSO2-2017-0203

Published: March 06, 2017


AFFECTED PRODUCTS

  • WSO2 Message Broker 3.1.0

OVERVIEW

The Message Broker event UI of the above WSO2 products is vulnerable to a potential reflected XSS attack.

DESCRIPTION

A potential XSS vulnerability has been discovered in the andes event UI component in Message Broker. An attacker can possibly attack the management console via this component, using a reflected XSS and inject malicious scripts as a part of the URL which will be reflected in that component’s pages.

IMPACT

An attacker aware of the management console origin can include malicious content in a request to event UI's add_subtopic page and trick a user to click the malicious content via email or a neutral website. This reflects the attack back to the user's browser and will execute the injected code, which may generate malicious page results that will mislead the victim or harm otherwise.

SOLUTION

Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.

Code Product Version Patch
MB WSO2 Message Broker 3.1.0 WSO2-CARBON-PATCH-4.4.0-0766

Info

If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.