SECURITY ADVISORY CVE-2024-0392/WSO2-2023-2987¶
Published: June 25, 2024
Version: 1.0.0
Severity: Medium
CVSS Score: 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
AFFECTED PRODUCTS¶
- WSO2 Enterprise Integrator 6.6.0
Info
Please note that this announcement includes only the product versions affected as per our backporting policy.
OVERVIEW¶
Cross Site Request Forgery vulnerability has been identified in the management console.
DESCRIPTION¶
Due to the absence of CSRF-Token implementation, malicious actors may conduct CSRF attacks against few state-changing operations in the management console.
IMPACT¶
If exploited, this vulnerability could result in unauthorized actions on behalf of users, affecting account settings and data integrity. It's important to note that the identified vulnerability only impacts a limited set of state-changing operations. Additionally, exploiting this vulnerability requires a social engineering effort to target the user with management console access.
SOLUTION¶
Commercial Users¶
Update your product to the specified update level—or a higher update level—to apply the fix.
Info
If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.
| Product Name | Product Version | U2 Update Level |
|---|---|---|
| wso2ei | 6.6.0 | 179 |
For All Users¶
If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).
CREDITS¶
WSO2 thanks, Toqa Hassib - Cyber Security Consultant at Inovasys for responsibly reporting the identified issue and working with us as we addressed it.