Security Advisory WSO2-2019-0486¶
Published: Novemeber 04, 2019
Severity: Medium
CVSS Score: 5.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L)
AFFECTED PRODUCTS¶
- WSO2 API Manager
- WSO2 API Manager Analytics
- WSO2 Enterprise Integrator
- WSO2 IS as Key Manager
- WSO2 Identity Server
- WSO2 Identity Server Analytics
OVERVIEW¶
A potential Cross-site Scripting (XSS) vulnerability has been identified in the management console.
DESCRIPTION¶
This vulnerability can be exploited when adding a user store for the description field in queues by injecting malicious script as the user input through the management console.
IMPACT¶
By leveraging an XSS attack, an attacker can make the browser get redirected to a malicious website, make changes in the UI of the web page, retrieve information from the browser or harm otherwise. However, since all the session related sensitive cookies are set with httpOnly flag and protected, session hijacking or similar attack would not be possible.
SOLUTION¶
Upgrade the affected products to the following versions or higher released version which is not affected by this vulnerability. If you have any questions, post them to security@wso2.com.
| Code | Product | Safe version |
|---|---|---|
| AM | WSO2 API Manager | 3.0.0 |
| AM-Analytics | WSO2 API Manager Analytics | 2.6.0 |
| EI | WSO2 Enterprise Integrator | 6.5.0 |
| IS KM | WSO2 IS as Key Manager | 5.9.0 |
| IS | WSO2 Identity Server | 5.8.0 |
| IS-Analytics | WSO2 Identity Server Analytics | 5.7.0 |
Info
If you are a WSO2 customer with a support subscription, use WSO2 Update Manager (WUM) updates in order to apply the fix to the affected versions.
If you are using newer versions of the products than the ones mentioned in the SOLUTION section, this vulnerability is fixed.
It is highly recommended to migrate older versions of the WSO2 products to the latest released version to receive security fixes.