SECURITY ADVISORY CVE-2024-0392/WSO2-2023-2987¶
Published: June 25, 2024
Version: 1.0.0
Severity: Medium
CVSS Score: 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
AFFECTED PRODUCTS¶
- WSO2 Enterprise Integrator 6.6.0
OVERVIEW¶
Cross Site Request Forgery vulnerability has been identified in the management console.
DESCRIPTION¶
Due to the absence of CSRF-Token implementation, malicious actors may conduct CSRF attacks against few state-changing operations in the management console.
IMPACT¶
If exploited, this vulnerability could result in unauthorized actions on behalf of users, affecting account settings and data integrity. It's important to note that the identified vulnerability only impacts a limited set of state-changing operations. Additionally, exploiting this vulnerability requires a social engineering effort to target the user with management console access.
SOLUTION¶
We highly recommend to migrate the latest version of respective WSO2 products to mitigate the identified vulnerabilities.
Info
If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.
CREDITS¶
WSO2 thanks, Toqa Hassib - Cyber Security Consultant at Inovasys for responsibly reporting the identified issue and working with us as we addressed it.