Security Advisory WSO2-2017-0254¶
Published: September 04, 2017
Severity: Low
CVSS Score: 2.4 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N)
AFFECTED PRODUCTS¶
- WSO2 API Manager 2.1.0
- WSO2 API Manager Analytics 2.1.0
- WSO2 App Manager 1.2.0
- WSO2 Application Server 5.3.0
- WSO2 Business Process Server 3.6.0
- WSO2 Business Rules Server 2.2.0
- WSO2 Complex Event Processor 4.2.0
- WSO2 Dashboard Server 2.0.0
- WSO2 Data Analytics Server 3.1.0
- WSO2 Data Services Server 3.5.1
- WSO2 Enterprise Mobility Manager 2.2.0
- WSO2 Governance Registry 5.4.0
- WSO2 Identity Server 5.3.0
- WSO2 Identity Server Analytics 5.3.0
- WSO2 Identity Server as Key Manager 5.3.0
- WSO2 IoT Server 3.0.0
- WSO2 Machine Learner 1.2.0
- WSO2 Storage Server 1.5.0
OVERVIEW¶
A potential Reflected Cross Site Scripting (XSS) vulnerability has been identified in the Management Console.
DESCRIPTION¶
In Carbon Tenant Management UI, the identified XSS attack can be performed when a user injects a malicious executable script as a user input through the carbon management console.
This issue has been fixed in affected component versions with a security patch/update given for specific products.
IMPACT¶
An attacker aware of the management console origin can include malicious content in a request and trick a user to click the malicious content via email or a neutral website. This reflects the attack back to the user’s browser and will execute the injected code, which may generate malicious page results that will mislead the victim or harm otherwise.
SOLUTION¶
Apply the following patches based on your product version by following the instructions in the README file. If you have any questions, post them to security@wso2.com.
Download the relevant patches based on the products you use following the matrix below. Patches can also be downloaded from Security Patch Releases.
| Code | Product | Version | Patch |
|---|---|---|---|
| AppM | WSO2 App Manager | 1.2.0 | WSO2-CARBON-PATCH-4.4.0-1129 |
| AS | WSO2 Application Server | 5.3.0 | WSO2-CARBON-PATCH-4.4.0-1117 |
| BPS | WSO2 Business Process Server | 3.6.0 | WSO2-CARBON-PATCH-4.4.0-1136 |
| BRS | WSO2 Business Rules Server | 2.2.0 | WSO2-CARBON-PATCH-4.4.0-1121 |
| CEP | WSO2 Complex Event Processor | 4.2.0 | WSO2-CARBON-PATCH-4.4.0-1105 |
| DAS | WSO2 Data Analytics Server | 3.1.0 | WSO2-CARBON-PATCH-4.4.0-1105 |
| DS | WSO2 Dashboard Server | 2.0.0 | WSO2-CARBON-PATCH-4.4.0-1121 |
| DSS | WSO2 Data Services Server | 3.5.1 | WSO2-CARBON-PATCH-4.4.0-1105 |
| IoTS | WSO2 IoT Server | 3.0.0 | WSO2-CARBON-PATCH-4.4.0-1115 |
| ML | WSO2 Machine Learner | 1.2.0 | WSO2-CARBON-PATCH-4.4.0-1105 |
| SS | WSO2 Storage Server | 1.5.0 | WSO2-CARBON-PATCH-4.3.0-0019 |
| AM | WSO2 API Manager | 2.1.0 | WSO2-CARBON-PATCH-4.4.0-1115 |
| AM-Analytics | WSO2 API Manager Analytics | 2.1.0 | WSO2-CARBON-PATCH-4.4.0-1115 |
| EMM | WSO2 Enterprise Mobility Manager | 2.2.0 | WSO2-CARBON-PATCH-4.4.0-1138 |
| GREG | WSO2 Governance Registry | 5.4.0 | WSO2-CARBON-PATCH-4.4.0-1140 |
| IS | WSO2 Identity Server | 5.3.0 | WSO2-CARBON-PATCH-4.4.0-1115 |
| IS-Analytics | WSO2 Identity Server Analytics | 5.3.0 | WSO2-CARBON-PATCH-4.4.0-1115 |
| IS-KM | WSO2 Identity Server as Key Manager | 5.3.0 | WSO2-CARBON-PATCH-4.4.0-1115 |
Info
If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.