

Security Advisory WSO2-2020-0843

Published: October 12, 2020

Version: 1.0

Severity: Medium

CVSS Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

---

AFFECTED PRODUCTS

• WSO2 API Manager : 3.1.0 or earlier

OVERVIEW

Self Cross-Site Scripting (XSS) vulnerability in the API Manager Admin Portal.

DESCRIPTION

Self Cross-Site Scripting (XSS) vulnerability can be exploited when changing the application owner by sending a request with a malicious payload.

IMPACT

By leveraging the Self Cross-Site Scripting (XSS) vulnerability in the API Manager Admin Portal, an attacker could persuade an admin user using Social Engineering to submit a malicious payload and get the user redirected to an attacker controlled page where a phishing attack could be executed to obtain highly sensitive information or conduct further attacks against the victim.

SOLUTION

If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

• https://github.com/wso2/carbon-apimgt/pull/9011

Info

If you are a WSO2 customer with a support subscription, use WSO2 Update Manager(WUM) updates in order to apply the fix to the affected versions.

CREDITS

WSO2 thanks, Zakaria BRAHIMI for responsibly reporting the identified issue and working with us as we addressed it.