Security Advisory WSO2-2020-0843¶
Published: October 12, 2020
CVSS Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
- WSO2 API Manager : 3.1.0 or earlier
Self Cross-Site Scripting (XSS) vulnerability in the API Manager Admin Portal.
Self Cross-Site Scripting (XSS) vulnerability can be exploited when changing the application owner by sending a request with a malicious payload.
By leveraging the Self Cross-Site Scripting (XSS) vulnerability in the API Manager Admin Portal, an attacker could persuade an admin user using Social Engineering to submit a malicious payload and get the user redirected to an attacker controlled page where a phishing attack could be executed to obtain highly sensitive information or conduct further attacks against the victim.
If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.
Otherwise, you may apply the relevant fixes to the product based on the public fix(s):
If you are a WSO2 customer with a support subscription, use WSO2 Update Manager(WUM) updates in order to apply the fix to the affected versions.
WSO2 thanks, Zakaria BRAHIMI for responsibly reporting the identified issue and working with us as we addressed it.