Security Advisory WSO2-2021-1338¶
Published: December 03, 2021
Version: 1.0.0
Severity: Medium
CVSS Score: 5.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
AFFECTED PRODUCTS¶
- WSO2 API Manager : 3.0.0 , 3.1.0 , 3.2.0
OVERVIEW¶
Stored Cross-Site Scripting (XSS) vulnerability in the API Store and Publisher.
DESCRIPTION¶
A malicious actor may use the API documentation feature of the API Publisher to perform a Stored Cross-Site Scripting (XSS) attack targeting API Store and Publisher users.
IMPACT¶
By leveraging the Stored Cross-Site Scripting (XSS) vulnerability, a malicious actor can make the browser get redirected to a malicious website, make changes in the UI of the web page, retrieve information from the browser or harm otherwise. In addition, it should be assumed that the Cross-Site Request Forgery (CSRF) protection is also impacted. However, since the session related sensitive cookies are set with the httpOnly flag and protected, a session hijacking attack would not be possible.
SOLUTION¶
If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.
Otherwise, you may apply the relevant fixes to the product based on the public fix(s):
As part of the fix, embedding HTML content within markdown will be disabled by default. If and only if HTML is used within markdown, such content should be migrated to markdown format without using HTML content. If you are willing to temporarily accept this security risk until content migration is complete, skipHtml configuration value can be changed to false
in publisher/site/public/conf/settings.js and devportal/site/public/theme/settings.js. Due to the security implications explained here, it's highly recommended to keep skipHtml set to true
.
Info
If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.
CREDITS¶
WSO2 thanks, Ali Yavuz Çukur for responsibly reporting the identified issue and working with us as we addressed it.