SECURITY ADVISORY CVE-2024-0392/WSO2-2023-2987

Published: June 25, 2024

Version: 1.0.0

Severity: Medium

CVSS Score: 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L


AFFECTED PRODUCTS

  • WSO2 Enterprise Integrator 6.6.0

OVERVIEW

Cross Site Request Forgery vulnerability has been identified in the management console.

DESCRIPTION

Due to the absence of CSRF-Token implementation, malicious actors may conduct CSRF attacks against few state-changing operations in the management console.

IMPACT

If exploited, this vulnerability could result in unauthorized actions on behalf of users, affecting account settings and data integrity. It's important to note that the identified vulnerability only impacts a limited set of state-changing operations. Additionally, exploiting this vulnerability requires a social engineering effort to target the user with management console access.

SOLUTION

We highly recommend to migrate the latest version of respective WSO2 products to mitigate the identified vulnerabilities.

Info

If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.

CREDITS

WSO2 thanks, Toqa Hassib - Cyber Security Consultant at Inovasys for responsibly reporting the identified issue and working with us as we addressed it.

REFERENCES

https://www.cve.org/CVERecord?id=CVE-2024-0392