Vulnerabilites related to wso2 - identity_server
CVE-2020-17453 (GCVE-0-2020-17453)
Vulnerability from cvelistv5
Published
2021-04-05 00:00
Modified
2024-08-04 13:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:53:17.471Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://twitter.com/JacksonHHax/status/1374681422678519813"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/JHHAX/CVE-2020-17453-PoC"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1132/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T02:23:53.848089",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://twitter.com/JacksonHHax/status/1374681422678519813"
},
{
"url": "https://github.com/JHHAX/CVE-2020-17453-PoC"
},
{
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1132/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-17453",
"datePublished": "2021-04-05T00:00:00",
"dateReserved": "2020-08-09T00:00:00",
"dateUpdated": "2024-08-04T13:53:17.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-14444 (GCVE-0-2020-14444)
Vulnerability from cvelistv5
Published
2020-06-18 17:47
Modified
2024-08-04 12:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console Policy Administration user interface.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0707 | x_refsource_CONFIRM | |
| https://cybersecurityworks.com/zerodays/cve-2020-14444-wso2.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.387Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0707"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-14444-wso2.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console Policy Administration user interface."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:L/S:C/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-28T19:30:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0707"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-14444-wso2.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14444",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console Policy Administration user interface."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:L/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0707",
"refsource": "CONFIRM",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0707"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2020-14444-wso2.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2020-14444-wso2.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14444",
"datePublished": "2020-06-18T17:47:51",
"dateReserved": "2020-06-18T00:00:00",
"dateUpdated": "2024-08-04T12:46:34.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29548 (GCVE-0-2022-29548)
Vulnerability from cvelistv5
Published
2022-04-21 00:00
Modified
2024-08-03 06:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:26:06.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167587/WSO2-Management-Console-Cross-Site-Scripting.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1603/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AC:L/AV:A/A:N/C:L/I:L/PR:N/S:U/UI:R",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T04:55:32.147193",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603"
},
{
"url": "http://packetstormsecurity.com/files/167587/WSO2-Management-Console-Cross-Site-Scripting.html"
},
{
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1603/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-29548",
"datePublished": "2022-04-21T00:00:00",
"dateReserved": "2022-04-21T00:00:00",
"dateUpdated": "2024-08-03T06:26:06.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18882 (GCVE-0-2019-18882)
Vulnerability from cvelistv5
Published
2019-11-12 02:56
Modified
2024-08-05 02:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:02:39.517Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-12T02:56:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-18882",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625",
"refsource": "MISC",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-18882",
"datePublished": "2019-11-12T02:56:10",
"dateReserved": "2019-11-12T00:00:00",
"dateUpdated": "2024-08-05T02:02:39.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29464 (GCVE-0-2022-29464)
Vulnerability from cvelistv5
Published
2022-04-18 00:00
Modified
2025-07-30 01:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:26:05.175Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20220422 CVE-2022-29464 :: WSO2 Unrestricted arbitrary file upload, and remote code to execution vulnerability.",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/04/22/7"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/hakivvi/CVE-2022-29464"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29464",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T20:50:06.735704Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-04-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-29464"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T01:37:43.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2022-04-25T00:00:00+00:00",
"value": "CVE-2022-29464 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-23T21:51:05.905Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20220422 CVE-2022-29464 :: WSO2 Unrestricted arbitrary file upload, and remote code to execution vulnerability.",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/04/22/7"
},
{
"url": "https://github.com/hakivvi/CVE-2022-29464"
},
{
"url": "http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html"
},
{
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-29464",
"datePublished": "2022-04-18T00:00:00.000Z",
"dateReserved": "2022-04-18T00:00:00.000Z",
"dateUpdated": "2025-07-30T01:37:43.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20442 (GCVE-0-2019-20442)
Vulnerability from cvelistv5
Published
2020-01-27 23:36
Modified
2024-08-05 02:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in roleToAuthorize has been identified in the registry UI.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636 | x_refsource_MISC | |
| https://github.com/cybersecurityworks/Disclosed/issues/25 | x_refsource_MISC | |
| https://cybersecurityworks.com/zerodays/cve-2019-20442-wso2.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.915Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/25"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20442-wso2.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in roleToAuthorize has been identified in the registry UI."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:H/S:U/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-29T20:41:51",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/25"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20442-wso2.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20442",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in roleToAuthorize has been identified in the registry UI."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:H/S:U/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636",
"refsource": "MISC",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636"
},
{
"name": "https://github.com/cybersecurityworks/Disclosed/issues/25",
"refsource": "MISC",
"url": "https://github.com/cybersecurityworks/Disclosed/issues/25"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2019-20442-wso2.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20442-wso2.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20442",
"datePublished": "2020-01-27T23:36:56",
"dateReserved": "2020-01-27T00:00:00",
"dateUpdated": "2024-08-05T02:39:09.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-14446 (GCVE-0-2020-14446)
Vulnerability from cvelistv5
Published
2020-06-18 17:47
Modified
2024-08-04 12:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in WSO2 Identity Server through 5.10.0 and WSO2 IS as Key Manager through 5.10.0. An open redirect exists.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0713 | x_refsource_CONFIRM | |
| https://cybersecurityworks.com/zerodays/cve-2020-14446-wso2.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.548Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0713"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-14446-wso2.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WSO2 Identity Server through 5.10.0 and WSO2 IS as Key Manager through 5.10.0. An open redirect exists."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-28T19:27:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0713"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-14446-wso2.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14446",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in WSO2 Identity Server through 5.10.0 and WSO2 IS as Key Manager through 5.10.0. An open redirect exists."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0713",
"refsource": "CONFIRM",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0713"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2020-14446-wso2.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2020-14446-wso2.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14446",
"datePublished": "2020-06-18T17:47:32",
"dateReserved": "2020-06-18T00:00:00",
"dateUpdated": "2024-08-04T12:46:34.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-20737 (GCVE-0-2018-20737)
Vulnerability from cvelistv5
Published
2019-03-18 20:16
Modified
2024-08-05 12:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part of the product.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.excellium-services.com/cert-xlm-advisory/cve-2018-20737/ | x_refsource_MISC | |
| https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/978/files | x_refsource_CONFIRM | |
| https://wso2.com/security-patch-releases/api-manager | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:12:29.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-20737/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/978/files"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wso2.com/security-patch-releases/api-manager"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-01-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part of the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-03-18T20:16:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-20737/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/978/files"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wso2.com/security-patch-releases/api-manager"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-20737",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part of the product."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-20737/",
"refsource": "MISC",
"url": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-20737/"
},
{
"name": "https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/978/files",
"refsource": "CONFIRM",
"url": "https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/978/files"
},
{
"name": "https://wso2.com/security-patch-releases/api-manager",
"refsource": "CONFIRM",
"url": "https://wso2.com/security-patch-releases/api-manager"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-20737",
"datePublished": "2019-03-18T20:16:49",
"dateReserved": "2019-01-18T00:00:00",
"dateUpdated": "2024-08-05T12:12:29.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-14651 (GCVE-0-2017-14651)
Vulnerability from cvelistv5
Published
2017-09-21 18:00
Modified
2024-08-05 19:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cybersecurityworks/Disclosed/issues/15 | x_refsource_MISC | |
| https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265 | x_refsource_MISC | |
| https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:34:39.735Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/15"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-09-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-29T20:58:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/15"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-14651",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cybersecurityworks/Disclosed/issues/15",
"refsource": "MISC",
"url": "https://github.com/cybersecurityworks/Disclosed/issues/15"
},
{
"name": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265",
"refsource": "MISC",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-14651",
"datePublished": "2017-09-21T18:00:00",
"dateReserved": "2017-09-21T00:00:00",
"dateUpdated": "2024-08-05T19:34:39.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-8716 (GCVE-0-2018-8716)
Vulnerability from cvelistv5
Published
2018-04-25 20:00
Modified
2024-08-05 07:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
WSO2 Identity Server before 5.5.0 has XSS via the dashboard, allowing attacks by low-privileged attackers.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.sec-consult.com/en/blog/advisories/multiple-stored-xss-vulnerabilities-in-wso2-carbon-and-dashboard-server/index.html | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2018/Apr/45 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/147330/WSO2-Identity-Server-5.3.0-Cross-Site-Scripting.html | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/44531/ | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/archive/1/541954/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:02:26.020Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sec-consult.com/en/blog/advisories/multiple-stored-xss-vulnerabilities-in-wso2-carbon-and-dashboard-server/index.html"
},
{
"name": "20180424 SEC Consult SA-20180423-0 :: Multiple Stored XSS Vulnerabilities in WSO2 Carbon and Dashboard Server",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2018/Apr/45"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/147330/WSO2-Identity-Server-5.3.0-Cross-Site-Scripting.html"
},
{
"name": "44531",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/44531/"
},
{
"name": "20180424 SEC Consult SA-20180423-0 :: Multiple Stored XSS Vulnerabilities in WSO2 Carbon and Dashboard Server",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/541954/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-04-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "WSO2 Identity Server before 5.5.0 has XSS via the dashboard, allowing attacks by low-privileged attackers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sec-consult.com/en/blog/advisories/multiple-stored-xss-vulnerabilities-in-wso2-carbon-and-dashboard-server/index.html"
},
{
"name": "20180424 SEC Consult SA-20180423-0 :: Multiple Stored XSS Vulnerabilities in WSO2 Carbon and Dashboard Server",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2018/Apr/45"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/147330/WSO2-Identity-Server-5.3.0-Cross-Site-Scripting.html"
},
{
"name": "44531",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/44531/"
},
{
"name": "20180424 SEC Consult SA-20180423-0 :: Multiple Stored XSS Vulnerabilities in WSO2 Carbon and Dashboard Server",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/541954/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-8716",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "WSO2 Identity Server before 5.5.0 has XSS via the dashboard, allowing attacks by low-privileged attackers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.sec-consult.com/en/blog/advisories/multiple-stored-xss-vulnerabilities-in-wso2-carbon-and-dashboard-server/index.html",
"refsource": "MISC",
"url": "https://www.sec-consult.com/en/blog/advisories/multiple-stored-xss-vulnerabilities-in-wso2-carbon-and-dashboard-server/index.html"
},
{
"name": "20180424 SEC Consult SA-20180423-0 :: Multiple Stored XSS Vulnerabilities in WSO2 Carbon and Dashboard Server",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2018/Apr/45"
},
{
"name": "http://packetstormsecurity.com/files/147330/WSO2-Identity-Server-5.3.0-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/147330/WSO2-Identity-Server-5.3.0-Cross-Site-Scripting.html"
},
{
"name": "44531",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/44531/"
},
{
"name": "20180424 SEC Consult SA-20180423-0 :: Multiple Stored XSS Vulnerabilities in WSO2 Carbon and Dashboard Server",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/541954/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-8716",
"datePublished": "2018-04-25T20:00:00",
"dateReserved": "2018-03-14T00:00:00",
"dateUpdated": "2024-08-05T07:02:26.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-4312 (GCVE-0-2016-4312)
Vulnerability from cvelistv5
Published
2017-02-16 18:00
Modified
2024-08-06 00:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/40239/ | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/archive/1/539199/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/92485 | vdb-entry, x_refsource_BID | |
| https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096 | x_refsource_CONFIRM | |
| http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt | x_refsource_MISC | |
| http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:25:14.366Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "40239",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/40239/"
},
{
"name": "20160813 WSO2 IDENTITY-SERVER v5.1.0 XML External-Entity",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/539199/100/0/threaded"
},
{
"name": "92485",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/92485"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-08-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "40239",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/40239/"
},
{
"name": "20160813 WSO2 IDENTITY-SERVER v5.1.0 XML External-Entity",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/539199/100/0/threaded"
},
{
"name": "92485",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/92485"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2016-4312",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "40239",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40239/"
},
{
"name": "20160813 WSO2 IDENTITY-SERVER v5.1.0 XML External-Entity",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/539199/100/0/threaded"
},
{
"name": "92485",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/92485"
},
{
"name": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096",
"refsource": "CONFIRM",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096"
},
{
"name": "http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt",
"refsource": "MISC",
"url": "http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt"
},
{
"name": "http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2016-4312",
"datePublished": "2017-02-16T18:00:00",
"dateReserved": "2016-04-27T00:00:00",
"dateUpdated": "2024-08-06T00:25:14.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6837 (GCVE-0-2023-6837)
Vulnerability from cvelistv5
Published
2023-12-15 09:41
Modified
2025-09-25 14:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met:
* An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option.
* A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled.
Attacker should have:
* A fresh valid user account in the federated IDP that has not been used earlier.
* Knowledge of the username of a valid user in the local IDP.
When all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | WSO2 | WSO2 API Manager |
Version: 2.5.0 < 2.5.0.32 Version: 2.6.0 < 2.6.0.52 Version: 3.0.0 < 3.0.0.50 Version: 3.1.0 < 3.1.0.72 Version: 3.2.0 < 3.2.0.86 Version: 4.0.0 < 4.0.0.35 |
||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:42:07.403Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.5.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.5.0.32",
"status": "affected",
"version": "2.5.0",
"versionType": "custom"
},
{
"lessThan": "2.6.0.52",
"status": "affected",
"version": "2.6.0",
"versionType": "custom"
},
{
"lessThan": "3.0.0.50",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.72",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.86",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "4.0.0.35",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.6.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.16",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
},
{
"lessThan": "5.7.0.35",
"status": "affected",
"version": "5.7.0",
"versionType": "custom"
},
{
"lessThan": "5.8.0.26",
"status": "affected",
"version": "5.8.0",
"versionType": "custom"
},
{
"lessThan": "5.9.0.38",
"status": "affected",
"version": "5.9.0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.78",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.69",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.6.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.17",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
},
{
"lessThan": "5.7.0.39",
"status": "affected",
"version": "5.7.0",
"versionType": "custom"
},
{
"lessThan": "5.9.0.45",
"status": "affected",
"version": "5.9.0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.80",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.authentication.framework",
"product": "WSO2 Carbon Identity Application Authentication Framework",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.11.256.3",
"status": "affected",
"version": "5.11.256",
"versionType": "custom"
},
{
"lessThan": "5.12.153.21",
"status": "affected",
"version": "5.12.153",
"versionType": "custom"
},
{
"lessThan": "5.12.387.7",
"status": "affected",
"version": "5.12.387",
"versionType": "custom"
},
{
"lessThan": "5.14.97.22",
"status": "affected",
"version": "5.14.97",
"versionType": "custom"
},
{
"lessThan": "5.17.5.106",
"status": "affected",
"version": "5.17.5",
"versionType": "custom"
},
{
"lessThan": "5.18.187.76",
"status": "affected",
"version": "5.18.187",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.20.254",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ngh\u0129a V\u0169 Trung"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. \u003cp\u003eIn order for this vulnerability to have any impact on your deployment, following conditions must be met:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAn IDP configured for federated authentication and JIT provisioning enabled with the \"Prompt for username, password and consent\" option.\u003c/li\u003e\u003cli\u003eA service provider that uses the above IDP for federated authentication and has the \"Assert identity using mapped local subject identifier\" flag enabled.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAttacker should have:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA fresh valid user account in the federated IDP that has not been used earlier.\u003c/li\u003e\u003cli\u003eKnowledge of the username of a valid user in the local IDP.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eWhen all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation.\u003c/p\u003e"
}
],
"value": "Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met:\n\n * An IDP configured for federated authentication and JIT provisioning enabled with the \"Prompt for username, password and consent\" option.\n * A service provider that uses the above IDP for federated authentication and has the \"Assert identity using mapped local subject identifier\" flag enabled.\n\n\nAttacker should have:\n\n * A fresh valid user account in the federated IDP that has not been used earlier.\n * Knowledge of the username of a valid user in the local IDP.\n\n\nWhen all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-25T14:59:58.384Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573/#solution\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1...\u003c/a\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Follow the instructions given on\u00a0 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573/#solution"
}
],
"source": {
"advisory": "WSO2-2021-1573",
"discovery": "EXTERNAL"
},
"title": "Incorrect Authorization in Multiple WSO2 Products via Federated Authentication with JIT Provisioning Leading to User Impersonation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2023-6837",
"datePublished": "2023-12-15T09:41:22.719Z",
"dateReserved": "2023-12-15T09:40:50.666Z",
"dateUpdated": "2025-09-25T14:59:58.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24705 (GCVE-0-2020-24705)
Vulnerability from cvelistv5
Published
2020-08-27 00:00
Modified
2024-08-04 15:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:09.326Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:R",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T02:27:03.346897",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24705",
"datePublished": "2020-08-27T00:00:00",
"dateReserved": "2020-08-27T00:00:00",
"dateUpdated": "2024-08-04T15:19:09.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24706 (GCVE-0-2020-24706)
Vulnerability from cvelistv5
Published
2020-08-27 00:00
Modified
2024-08-04 15:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:09.362Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0718"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-09T05:58:33.145173",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0718"
},
{
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24706",
"datePublished": "2020-08-27T00:00:00",
"dateReserved": "2020-08-27T00:00:00",
"dateUpdated": "2024-08-04T15:19:09.362Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24703 (GCVE-0-2020-24703)
Vulnerability from cvelistv5
Published
2020-08-27 00:00
Modified
2024-08-04 15:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:09.336Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0687/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:R",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T02:15:47.717517",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0687/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24703",
"datePublished": "2020-08-27T00:00:00",
"dateReserved": "2020-08-27T00:00:00",
"dateUpdated": "2024-08-04T15:19:09.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-4311 (GCVE-0-2016-4311)
Vulnerability from cvelistv5
Published
2017-02-16 18:00
Modified
2024-08-06 00:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 allows remote attackers to hijack the authentication of privileged users for requests that process XACML requests via an entitlement/eval-policy-submit.jsp request.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/40239/ | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/archive/1/539199/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/92485 | vdb-entry, x_refsource_BID | |
| http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt | x_refsource_MISC | |
| http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:25:14.263Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "40239",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/40239/"
},
{
"name": "20160813 WSO2 IDENTITY-SERVER v5.1.0 XML External-Entity",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/539199/100/0/threaded"
},
{
"name": "92485",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/92485"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-08-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 allows remote attackers to hijack the authentication of privileged users for requests that process XACML requests via an entitlement/eval-policy-submit.jsp request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "40239",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/40239/"
},
{
"name": "20160813 WSO2 IDENTITY-SERVER v5.1.0 XML External-Entity",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/539199/100/0/threaded"
},
{
"name": "92485",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/92485"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2016-4311",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 allows remote attackers to hijack the authentication of privileged users for requests that process XACML requests via an entitlement/eval-policy-submit.jsp request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "40239",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40239/"
},
{
"name": "20160813 WSO2 IDENTITY-SERVER v5.1.0 XML External-Entity",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/539199/100/0/threaded"
},
{
"name": "92485",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/92485"
},
{
"name": "http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt",
"refsource": "MISC",
"url": "http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt"
},
{
"name": "http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2016-4311",
"datePublished": "2017-02-16T18:00:00",
"dateReserved": "2016-04-27T00:00:00",
"dateUpdated": "2024-08-06T00:25:14.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20443 (GCVE-0-2019-20443)
Vulnerability from cvelistv5
Published
2020-01-27 23:36
Modified
2024-08-05 02:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in mediaType has been identified in the registry UI.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636 | x_refsource_MISC | |
| https://github.com/cybersecurityworks/Disclosed/issues/26 | x_refsource_MISC | |
| https://cybersecurityworks.com/zerodays/cve-2019-20443-wso2.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.999Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/26"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20443-wso2.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in mediaType has been identified in the registry UI."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:H/S:U/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-29T20:14:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/26"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20443-wso2.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20443",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in mediaType has been identified in the registry UI."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:H/S:U/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636",
"refsource": "MISC",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636"
},
{
"name": "https://github.com/cybersecurityworks/Disclosed/issues/26",
"refsource": "MISC",
"url": "https://github.com/cybersecurityworks/Disclosed/issues/26"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2019-20443-wso2.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20443-wso2.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20443",
"datePublished": "2020-01-27T23:36:43",
"dateReserved": "2020-01-27T00:00:00",
"dateUpdated": "2024-08-05T02:39:09.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20437 (GCVE-0-2019-20437)
Vulnerability from cvelistv5
Published
2020-01-27 23:38
Modified
2024-08-05 02:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. When a custom claim dialect with an XSS payload is configured in the identity provider basic claim configuration, that payload gets executed, if a user picks up that dialect's URI as the provisioning claim in the advanced claim configuration of the same Identity Provider. The attacker also needs to have privileges to log in to the management console, and to add and update identity provider configurations.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0635 | x_refsource_MISC | |
| https://github.com/cybersecurityworks/Disclosed/issues/20 | x_refsource_MISC | |
| https://cybersecurityworks.com/zerodays/cve-2019-20437-wso2.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:10.001Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0635"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/20"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20437-wso2.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. When a custom claim dialect with an XSS payload is configured in the identity provider basic claim configuration, that payload gets executed, if a user picks up that dialect\u0027s URI as the provisioning claim in the advanced claim configuration of the same Identity Provider. The attacker also needs to have privileges to log in to the management console, and to add and update identity provider configurations."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-29T20:03:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0635"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/20"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20437-wso2.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20437",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. When a custom claim dialect with an XSS payload is configured in the identity provider basic claim configuration, that payload gets executed, if a user picks up that dialect\u0027s URI as the provisioning claim in the advanced claim configuration of the same Identity Provider. The attacker also needs to have privileges to log in to the management console, and to add and update identity provider configurations."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0635",
"refsource": "MISC",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0635"
},
{
"name": "https://github.com/cybersecurityworks/Disclosed/issues/20",
"refsource": "MISC",
"url": "https://github.com/cybersecurityworks/Disclosed/issues/20"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2019-20437-wso2.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20437-wso2.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20437",
"datePublished": "2020-01-27T23:38:16",
"dateReserved": "2020-01-27T00:00:00",
"dateUpdated": "2024-08-05T02:39:10.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6911 (GCVE-0-2023-6911)
Vulnerability from cvelistv5
Published
2023-12-18 08:32
Modified
2024-08-02 08:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console.
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | WSO2 | WSO2 API Manager |
Version: 2.2.0.0 < 2.2.0.1 Version: 2.5.0.0 < 2.5.0.1 Version: 2.6.0.0 < 2.6.0.1 Version: 3.0.0.0 < 3.0.0.1 Version: 3.1.0.0 < 3.1.0.1 Version: 3.2.0.0 < 3.2.0.1 |
|||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:42:08.416Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1225/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"repo": "https://github.com/wso2/product-apim",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.2.0.1",
"status": "affected",
"version": "2.2.0.0",
"versionType": "custom"
},
{
"lessThan": "2.5.0.1",
"status": "affected",
"version": "2.5.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.0.1",
"status": "affected",
"version": "2.6.0.0",
"versionType": "custom"
},
{
"lessThan": "3.0.0.1",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.1",
"status": "affected",
"version": "3.1.0.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.1",
"status": "affected",
"version": "3.2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager Analytics",
"repo": "https://github.com/wso2/analytics-apim",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.2.0.1",
"status": "affected",
"version": "2.2.0.0",
"versionType": "custom"
},
{
"lessThan": "2.5.0.1",
"status": "affected",
"version": "2.5.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Microgateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.2.0.1",
"status": "affected",
"version": "2.2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Data Analytics Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.1",
"status": "affected",
"version": "3.2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"repo": "https://github.com/wso2/product-ei",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.1.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.9",
"status": "affected",
"version": "6.1.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.1.9",
"status": "affected",
"version": "6.1.1.0",
"versionType": "custom"
},
{
"lessThan": "6.2.0.7",
"status": "affected",
"version": "6.2.0.0",
"versionType": "custom"
},
{
"lessThan": "6.3.0.1",
"status": "affected",
"version": "6.3.0.0",
"versionType": "custom"
},
{
"lessThan": "6.4.0.1",
"status": "affected",
"version": "6.4.0.0",
"versionType": "custom"
},
{
"lessThan": "6.5.0.6",
"status": "affected",
"version": "6.5.0.0",
"versionType": "custom"
},
{
"lessThan": "6.6.0.11",
"status": "affected",
"version": "6.6.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 IS as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.5.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.5.0.1",
"status": "affected",
"version": "5.5.0.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.1",
"status": "affected",
"version": "5.6.0.0",
"versionType": "custom"
},
{
"lessThan": "5.7.0.1",
"status": "affected",
"version": "5.7.0.0",
"versionType": "custom"
},
{
"lessThan": "5.9.0.1",
"status": "affected",
"version": "5.9.0.0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.1",
"status": "affected",
"version": "5.10.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"repo": "https://github.com/wso2/product-is",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.4.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.4.0.4",
"status": "affected",
"version": "5.4.0.0",
"versionType": "custom"
},
{
"lessThan": "5.4.1.3",
"status": "affected",
"version": "5.4.1.0",
"versionType": "custom"
},
{
"lessThan": "5.5.0.1",
"status": "affected",
"version": "5.5.0.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.1",
"status": "affected",
"version": "5.6.0.0",
"versionType": "custom"
},
{
"lessThan": "5.7.0.1",
"status": "affected",
"version": "5.7.0.0",
"versionType": "custom"
},
{
"lessThan": "5.8.0.5",
"status": "affected",
"version": "5.8.0.0",
"versionType": "custom"
},
{
"lessThan": "5.9.0.1",
"status": "affected",
"version": "5.9.0.0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.1",
"status": "affected",
"version": "5.10.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server Analytics",
"repo": "https://github.com/wso2/analytics-is",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.4.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.4.0.2",
"status": "affected",
"version": "5.4.0.0",
"versionType": "custom"
},
{
"lessThan": "5.4.1.2",
"status": "affected",
"version": "5.4.1.0",
"versionType": "custom"
},
{
"lessThan": "5.5.0.1",
"status": "affected",
"version": "5.5.0.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.1",
"status": "affected",
"version": "5.6.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Message Broker",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.3",
"status": "affected",
"version": "3.2.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console.\u003cbr\u003e"
}
],
"value": "Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-18T08:32:58.961Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1225/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.\u003cbr\u003e\u003cbr\u003eCommunity users may apply the relevant fixes to the product based on the public fix(s) advertised in\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1225/\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1...\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.\n\nCommunity users may apply the relevant fixes to the product based on the public fix(s) advertised in\u00a0 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1225/ \n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2023-6911",
"datePublished": "2023-12-18T08:32:58.961Z",
"dateReserved": "2023-12-18T08:23:45.214Z",
"dateUpdated": "2024-08-02T08:42:08.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12719 (GCVE-0-2020-12719)
Vulnerability from cvelistv5
Published
2020-05-07 23:40
Modified
2024-08-04 12:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0665 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0665"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:H/C:H/I:N/PR:H/S:C/UI:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-07T23:40:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0665"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12719",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:H/C:H/I:N/PR:H/S:C/UI:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0665",
"refsource": "MISC",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0665"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12719",
"datePublished": "2020-05-07T23:40:14",
"dateReserved": "2020-05-07T00:00:00",
"dateUpdated": "2024-08-04T12:04:22.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42646 (GCVE-0-2021-42646)
Vulnerability from cvelistv5
Published
2022-05-11 00:00
Modified
2024-08-04 03:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:38:49.501Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/wso2/carbon-identity-framework/pull/3472"
},
{
"name": "20220610 XML External Entity (XXE) vulnerability in the WSO2 Management Console",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/Jun/7"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167465/WSO2-Management-Console-XML-Injection.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1289/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T02:21:30.411666",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/wso2/carbon-identity-framework/pull/3472"
},
{
"name": "20220610 XML External Entity (XXE) vulnerability in the WSO2 Management Console",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/Jun/7"
},
{
"url": "http://packetstormsecurity.com/files/167465/WSO2-Management-Console-XML-Injection.html"
},
{
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1289/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-42646",
"datePublished": "2022-05-11T00:00:00",
"dateReserved": "2021-10-18T00:00:00",
"dateUpdated": "2024-08-04T03:38:49.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18881 (GCVE-0-2019-18881)
Vulnerability from cvelistv5
Published
2019-11-12 02:56
Modified
2024-08-05 02:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:02:40.032Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-12T02:56:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-18881",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625",
"refsource": "MISC",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-18881",
"datePublished": "2019-11-12T02:56:20",
"dateReserved": "2019-11-12T00:00:00",
"dateUpdated": "2024-08-05T02:02:40.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6836 (GCVE-0-2023-6836)
Vulnerability from cvelistv5
Published
2023-12-15 09:26
Modified
2024-08-02 08:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Summary
Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | WSO2 | WSO2 API Manager |
Version: 3.0.0.0 < 3.0.0.1 |
|||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:42:08.180Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager ",
"repo": "https://github.com/wso2/product-apim",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.0.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.0.1",
"status": "affected",
"version": "3.0.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager Analytics",
"repo": "https://github.com/wso2/analytics-apim",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.2.0.1",
"status": "affected",
"version": "2.2.0.0",
"versionType": "custom"
},
{
"lessThan": "2.5.0.1",
"status": "affected",
"version": "2.5.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Microgateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.2.0.1",
"status": "affected",
"version": "2.2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"repo": "https://github.com/wso2/product-ei",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.0.0.2",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.3",
"status": "affected",
"version": "6.0.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.5",
"status": "affected",
"version": "6.1.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.1.5",
"status": "affected",
"version": "6.1.1.0",
"versionType": "custom"
},
{
"lessThan": "6.6.0.1",
"status": "affected",
"version": "6.6.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 IS as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.5.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.5.0.1",
"status": "affected",
"version": "5.5.0.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.1",
"status": "affected",
"version": "5.6.0.0",
"versionType": "custom"
},
{
"lessThan": "5.7.0.1",
"status": "affected",
"version": "5.7.0.0",
"versionType": "custom"
},
{
"lessThan": "5.9.0.1",
"status": "affected",
"version": "5.9.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"repo": "https://github.com/wso2/product-is",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.4.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.4.0.1",
"status": "affected",
"version": "5.4.0.0",
"versionType": "custom"
},
{
"lessThan": "5.4.1.1",
"status": "affected",
"version": "5.4.1.0",
"versionType": "custom"
},
{
"lessThan": "5.5.0.1",
"status": "affected",
"version": "5.5.0.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.1",
"status": "affected",
"version": "5.6.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Micro Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.0.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.0.0.1",
"status": "affected",
"version": "1.0.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information."
}
],
"value": "Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information."
}
],
"impacts": [
{
"capecId": "CAPEC-250",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-250 XML Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-09T05:03:32.570Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.\u003cbr\u003e\u003cbr\u003eCommunity users may apply the relevant fixes to the product based on the public fix(s) advertised in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.\n\nCommunity users may apply the relevant fixes to the product based on the public fix(s) advertised in https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/ https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/ \n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2023-6836",
"datePublished": "2023-12-15T09:26:01.323Z",
"dateReserved": "2023-12-15T09:25:13.205Z",
"dateUpdated": "2024-08-02T08:42:08.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6838 (GCVE-0-2023-6838)
Vulnerability from cvelistv5
Published
2023-12-15 09:50
Modified
2024-08-02 08:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests.
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | WSO2 | WSO2 API Manager |
Version: 3.1.0.0 < 3.1.0.14 Version: 3.2.0.0 < 3.2.0.10 |
|||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:42:07.910Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1233/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"repo": "https://github.com/wso2/product-apim",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.14",
"status": "affected",
"version": "3.1.0.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.10",
"status": "affected",
"version": "3.2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"repo": "https://github.com/wso2/product-is",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.5",
"status": "affected",
"version": "5.10.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 IS as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.5",
"status": "affected",
"version": "5.10.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eReflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests.\u003c/p\u003e"
}
],
"value": "Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-15T09:50:52.147Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1233/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.\u003cbr\u003e\u003cbr\u003eCommunity users may apply the relevant fixes to the product based on the public fix(s) advertised in\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1233/\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1...\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.\n\nCommunity users may apply the relevant fixes to the product based on the public fix(s) advertised in\u00a0 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1233/ \n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2023-6838",
"datePublished": "2023-12-15T09:50:52.147Z",
"dateReserved": "2023-12-15T09:45:13.869Z",
"dateUpdated": "2024-08-02T08:42:07.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20436 (GCVE-0-2019-20436)
Vulnerability from cvelistv5
Published
2020-01-27 23:36
Modified
2024-08-05 02:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect's URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console, and to add and configure claim dialects.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634 | x_refsource_MISC | |
| https://github.com/cybersecurityworks/Disclosed/issues/19 | x_refsource_MISC | |
| https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.966Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/19"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect\u0027s URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console, and to add and configure claim dialects."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-29T20:05:03",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/19"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20436",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect\u0027s URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console, and to add and configure claim dialects."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634",
"refsource": "MISC",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634"
},
{
"name": "https://github.com/cybersecurityworks/Disclosed/issues/19",
"refsource": "MISC",
"url": "https://github.com/cybersecurityworks/Disclosed/issues/19"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20436",
"datePublished": "2020-01-27T23:36:25",
"dateReserved": "2020-01-27T00:00:00",
"dateUpdated": "2024-08-05T02:39:09.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36760 (GCVE-0-2021-36760)
Vulnerability from cvelistv5
Published
2021-12-07 20:48
Modified
2024-08-04 01:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.)
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.wso2.com/display/Security/2021+Advisories | x_refsource_MISC | |
| https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1314 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.826Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/2021+Advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1314"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-07T20:48:56",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.wso2.com/display/Security/2021+Advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1314"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-36760",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.wso2.com/display/Security/2021+Advisories",
"refsource": "MISC",
"url": "https://docs.wso2.com/display/Security/2021+Advisories"
},
{
"name": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1314",
"refsource": "MISC",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1314"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-36760",
"datePublished": "2021-12-07T20:48:56",
"dateReserved": "2021-07-16T00:00:00",
"dateUpdated": "2024-08-04T01:01:59.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-14445 (GCVE-0-2020-14445)
Vulnerability from cvelistv5
Published
2020-06-18 17:47
Modified
2024-08-04 12:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console Basic Policy Editor user Interface.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0711 | x_refsource_CONFIRM | |
| https://cybersecurityworks.com/zerodays/cve-2020-14445-wso2.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.605Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0711"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-14445-wso2.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console Basic Policy Editor user Interface."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:H/AV:N/A:N/C:L/I:L/PR:L/S:C/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-28T19:29:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0711"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-14445-wso2.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14445",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console Basic Policy Editor user Interface."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:H/AV:N/A:N/C:L/I:L/PR:L/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0711",
"refsource": "CONFIRM",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0711"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2020-14445-wso2.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2020-14445-wso2.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14445",
"datePublished": "2020-06-18T17:47:40",
"dateReserved": "2020-06-18T00:00:00",
"dateUpdated": "2024-08-04T12:46:34.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24704 (GCVE-0-2020-24704)
Vulnerability from cvelistv5
Published
2020-08-27 00:00
Modified
2024-08-04 15:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:09.324Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0685/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T02:18:33.400934",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0685/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24704",
"datePublished": "2020-08-27T00:00:00",
"dateReserved": "2020-08-27T00:00:00",
"dateUpdated": "2024-08-04T15:19:09.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2020-08-27 16:15
Modified
2024-11-21 05:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 2.2.0 | |
| wso2 | api_manager_analytics | 2.2.0 | |
| wso2 | api_microgateway | 2.2.0 | |
| wso2 | data_analytics_server | 3.2.0 | |
| wso2 | enterprise_integrator | * | |
| wso2 | identity_server | 5.5.0 | |
| wso2 | identity_server | 5.8.0 | |
| wso2 | identity_server_analytics | 5.5.0 | |
| wso2 | identity_server_as_key_manager | 5.5.0 | |
| wso2 | iot_server | 3.3.0 | |
| wso2 | iot_server | 3.3.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6819491F-C6C3-41C1-B27A-0D0B62224977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ADEAF56C-4583-40A6-826F-01AC86191AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "79CDDE83-4CB6-4DA3-8E96-FCDA4F5C1E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:data_analytics_server:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CCDDFAB-C8FC-41C4-9872-667C442F119B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "16E39585-2B28-4631-A62F-27F17DC9AB4A",
"versionEndIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8DA0050E-D5DD-45E5-9F61-DC1BB060EFF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2B169832-A746-49A6-8E92-06624AA9B13A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "42BFE7A0-A168-4C1E-8725-41DD500C837E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4F0F121-700C-4D30-BAFC-960DCC56F08B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:iot_server:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FCAD802D-4746-49D2-AC21-7956F46274A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:iot_server:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "53EC589C-09C6-440C-AF9A-DD86A23311FE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en determinados productos WSO2. La herramienta Try It permite un ataque de tipo XSS Reflejado. Esto afecta a API Manager versi\u00f3n 2.2.0, API Manager Analytics versi\u00f3n 2.2.0, API Microgateway versi\u00f3n 2.2.0, Data Analytics Server versi\u00f3n 3.2.0, Enterprise Integrator versiones hasta 6.6.0, IS as Key Manager versi\u00f3n 5.5.0, Identity Server versiones 5.5.0 y 5.8 .0, Identity Server Analytics versi\u00f3n 5.5.0 y IoT Server versiones 3.3.0 y 3.3.1"
}
],
"id": "CVE-2020-24704",
"lastModified": "2024-11-21T05:15:52.603",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-27T16:15:11.677",
"references": [
{
"source": "cve@mitre.org",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0685/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0685/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-04-25 20:29
Modified
2024-11-21 04:14
Severity ?
Summary
WSO2 Identity Server before 5.5.0 has XSS via the dashboard, allowing attacks by low-privileged attackers.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | identity_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF8C84AA-EC73-4B68-9C5C-EAC84A2EBD7D",
"versionEndExcluding": "5.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "WSO2 Identity Server before 5.5.0 has XSS via the dashboard, allowing attacks by low-privileged attackers."
},
{
"lang": "es",
"value": "WSO2 Identity Server, en versiones anteriores a la 5.5.0, tiene Cross-Site Scripting (XSS) mediante el dashboard, lo que permite ataques por parte de atacantes con pocos privilegios."
}
],
"id": "CVE-2018-8716",
"lastModified": "2024-11-21T04:14:11.720",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-04-25T20:29:00.510",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/147330/WSO2-Identity-Server-5.3.0-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2018/Apr/45"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/541954/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/44531/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.sec-consult.com/en/blog/advisories/multiple-stored-xss-vulnerabilities-in-wso2-carbon-and-dashboard-server/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/147330/WSO2-Identity-Server-5.3.0-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2018/Apr/45"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/541954/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/44531/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.sec-consult.com/en/blog/advisories/multiple-stored-xss-vulnerabilities-in-wso2-carbon-and-dashboard-server/index.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-05-08 00:15
Modified
2024-11-21 05:00
Severity ?
Summary
XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | * | |
| wso2 | api_manager_analytics | * | |
| wso2 | api_microgateway | 2.2.0 | |
| wso2 | enterprise_integrator | * | |
| wso2 | identity_server | * | |
| wso2 | identity_server_analytics | * | |
| wso2 | identity_server_as_key_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "80465515-637E-46D9-9F36-063B8549A539",
"versionEndIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ED7770E1-F3DA-427D-B93C-D2A99489D4D9",
"versionEndIncluding": "2.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "79CDDE83-4CB6-4DA3-8E96-FCDA4F5C1E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14362336-D7A2-4A27-BE8A-13B396570896",
"versionEndIncluding": "6.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C7BA1880-6A40-457D-8FF3-2C1658398F98",
"versionEndIncluding": "5.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:*:*:*:*:*:*:*:*",
"matchCriteriaId": "05810F17-3BC8-400A-92BF-0D51E3580409",
"versionEndIncluding": "5.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "417D475B-B552-4923-855E-B6DEDD609C86",
"versionEndIncluding": "5.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo XXE durante una actualizaci\u00f3n de EventPublisher puede presentarse en Management Console en WSO2 API Manager versiones 3.0.0 y anteriores, API Manager Analytics versiones 2.5.0 y anteriores, API Microgateway versi\u00f3n 2.2.0, Enterprise Integrator versiones 6.4.0 y anteriores, IS as Key Manager versiones 5.9.0 y anteriores, Identity Server versiones 5.9.0 y anteriores, e Identity Server Analytics versiones 5.6.0 y anteriores."
}
],
"id": "CVE-2020-12719",
"lastModified": "2024-11-21T05:00:08.550",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 5.8,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-08T00:15:12.033",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0665"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0665"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-15 10:15
Modified
2024-11-21 08:44
Severity ?
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | * | |
| wso2 | api_manager_analytics | 2.2.0 | |
| wso2 | api_manager_analytics | 2.5.0 | |
| wso2 | api_microgateway | 2.2.0 | |
| wso2 | enterprise_integrator | * | |
| wso2 | identity_server_as_key_manager | 5.0.0 | |
| wso2 | identity_server_as_key_manager | 5.6.0 | |
| wso2 | identity_server_as_key_manager | 5.7.0 | |
| wso2 | identity_server_as_key_manager | 5.9.0 | |
| wso2 | identity_server | 5.4.0 | |
| wso2 | identity_server | 5.4.1 | |
| wso2 | identity_server | 5.5.0 | |
| wso2 | identity_server | 5.6.0 | |
| wso2 | micro_integrator | 1.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "80465515-637E-46D9-9F36-063B8549A539",
"versionEndIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ADEAF56C-4583-40A6-826F-01AC86191AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04A2A50A-872E-4CC7-BBB7-3E0956176AAC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "79CDDE83-4CB6-4DA3-8E96-FCDA4F5C1E93",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "16E39585-2B28-4631-A62F-27F17DC9AB4A",
"versionEndIncluding": "6.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C016AEE9-7BF7-4BD8-913A-1BA02B2464CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E5761F7-C287-4EC4-A899-C54FB4E80A35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3B184BFC-8E1A-4971-B6D2-C594742AB8CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EA51AC1B-0BF6-44F6-B034-CAD4F623DD76",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B9E7D773-A7CE-4AB8-828B-C2E7DC2799AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CEA63B98-D4B4-4FCD-A869-FE64BC21A1B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8DA0050E-D5DD-45E5-9F61-DC1BB060EFF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "26542F95-73F3-4906-838E-A66F5DC9DFA5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:micro_integrator:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A690D484-8402-4D45-833D-373D1713FA49",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information."
},
{
"lang": "es",
"value": "Se han identificado varios productos WSO2 como vulnerables debido a que un ataque de entidad externa XML (XXE) abusa de una caracter\u00edstica ampliamente disponible pero rara vez utilizada de los analizadores XML para acceder a informaci\u00f3n confidencial."
}
],
"id": "CVE-2023-6836",
"lastModified": "2024-11-21T08:44:38.827",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-15T10:15:09.407",
"references": [
{
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/"
}
],
"sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-11 18:15
Modified
2024-11-21 06:27
Severity ?
Summary
XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/167465/WSO2-Management-Console-XML-Injection.html | Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://seclists.org/fulldisclosure/2022/Jun/7 | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://github.com/wso2/carbon-identity-framework/pull/3472 | Patch, Third Party Advisory | |
| cve@mitre.org | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1289/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/167465/WSO2-Management-Console-XML-Injection.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2022/Jun/7 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wso2/carbon-identity-framework/pull/3472 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1289/ |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 2.6.0 | |
| wso2 | api_manager | 3.0.0 | |
| wso2 | api_manager | 3.1.0 | |
| wso2 | api_manager | 3.2.0 | |
| wso2 | api_manager | 4.0.0 | |
| wso2 | identity_server | 5.7.0 | |
| wso2 | identity_server | 5.8.0 | |
| wso2 | identity_server | 5.9.0 | |
| wso2 | identity_server | 5.10.0 | |
| wso2 | identity_server | 5.11.0 | |
| wso2 | identity_server_as_key_manager | 5.7.0 | |
| wso2 | identity_server_as_key_manager | 5.9.0 | |
| wso2 | identity_server_as_key_manager | 5.10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BC168B6A-B15A-4C3B-A38D-C0B65F24F333",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF14774-8935-4FC9-B5C8-9771B3D6EBFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60781FE4-38A3-4FEA-9D8B-CADE4B535974",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2B169832-A746-49A6-8E92-06624AA9B13A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "981D701D-E381-484A-9614-CD0EF0331071",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2153AECE-020A-4C01-B2A6-F9F5D98E7EBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3B184BFC-8E1A-4971-B6D2-C594742AB8CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EA51AC1B-0BF6-44F6-B034-CAD4F623DD76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6BB34405-A2F1-461A-B51B-E103BB3680A1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo XML External Entity (XXE) en la funci\u00f3n de creaci\u00f3n de proveedores de servicios basados en archivos de la Consola de Administraci\u00f3n en WSO2 API Manager versiones 2.6.0, 3.0.0, 3.1.0, 3.2.0 y 4.0.0; y WSO2 IS as Key Manager versiones 5.7.0, 5.9.0 y 5.10.0; y WSO2 Identity Server versiones 5.7.0, 5.8.0, 5.9.0, 5.10.0 y 5.11.0. Permite a atacantes conseguir acceso de lectura a informaci\u00f3n confidencial o causar una denegaci\u00f3n de servicio por medio de peticiones GET dise\u00f1adas"
}
],
"id": "CVE-2021-42646",
"lastModified": "2024-11-21T06:27:54.687",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-11T18:15:23.053",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167465/WSO2-Management-Console-XML-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2022/Jun/7"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wso2/carbon-identity-framework/pull/3472"
},
{
"source": "cve@mitre.org",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1289/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167465/WSO2-Management-Console-XML-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2022/Jun/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wso2/carbon-identity-framework/pull/3472"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1289/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-28 01:15
Modified
2024-11-21 04:38
Severity ?
Summary
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect's URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console, and to add and configure claim dialects.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634 | Vendor Advisory | |
| cve@mitre.org | https://github.com/cybersecurityworks/Disclosed/issues/19 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/cybersecurityworks/Disclosed/issues/19 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 2.6.0 | |
| wso2 | identity_server | 5.7.0 | |
| wso2 | identity_server | 5.8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BC168B6A-B15A-4C3B-A38D-C0B65F24F333",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60781FE4-38A3-4FEA-9D8B-CADE4B535974",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2B169832-A746-49A6-8E92-06624AA9B13A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect\u0027s URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console, and to add and configure claim dialects."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en WSO2 API Manager versi\u00f3n 2.6.0, WSO2 IS as Key Manager versi\u00f3n 5.7.0 y WSO2 Identity Server versi\u00f3n 5.8.0. Si se presenta un dialecto de reclamo configurado con una carga \u00fatil XSS en el URI de dialecto, y un usuario recoge el URI de este dialecto y lo agrega como el dialecto de reclamo del proveedor de servicios mientras configura el proveedor de servicios, esa carga es ejecutada. El atacante tambi\u00e9n necesita contar con privilegios para iniciar sesi\u00f3n en la consola de administraci\u00f3n y para agregar y configurar dialectos de reclamo."
}
],
"id": "CVE-2019-20436",
"lastModified": "2024-11-21T04:38:28.637",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-28T01:15:11.957",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/19"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/19"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-02-17 02:59
Modified
2025-04-20 01:37
Severity ?
Summary
XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | identity_server | 5.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A18E2C98-4FD9-43EE-95EA-E03AFCF753E3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials."
},
{
"lang": "es",
"value": "Vulnerabilidad de XXE en la funcionalidad de flujo XACML en WSO2 Identity Server 5.1.0 en versiones anteriores a WSO2-CARBON-PATCH-4.4.0-0231 permite a usuarios remotos autenticados con acceso a caracter\u00edsticas XACML leer archivos arbitrarios, provocar una denegaci\u00f3n de servicio, realizar ataques de SSRF o tener otros impactos no especificados a trav\u00e9s de una solicitud de XACML creada para entitlement/eval-policy-submit.jsp. NOTA: este problema se puede combinar con CVE-2016-4311 para explotar la vulnerabilidad sin credenciales."
}
],
"id": "CVE-2016-4312",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-02-17T02:59:11.953",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt"
},
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html"
},
{
"source": "cret@cert.org",
"url": "http://www.securityfocus.com/archive/1/539199/100/0/threaded"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92485"
},
{
"source": "cret@cert.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096"
},
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40239/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/539199/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92485"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40239/"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-18 18:15
Modified
2024-11-21 05:03
Severity ?
Summary
An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console Policy Administration user interface.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cybersecurityworks.com/zerodays/cve-2020-14444-wso2.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0707 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurityworks.com/zerodays/cve-2020-14444-wso2.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0707 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | identity_server | * | |
| wso2 | identity_server_as_key_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C7BA1880-6A40-457D-8FF3-2C1658398F98",
"versionEndIncluding": "5.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "417D475B-B552-4923-855E-B6DEDD609C86",
"versionEndIncluding": "5.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console Policy Administration user interface."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en WSO2 Identity Server versiones hasta 5.9.0 y WSO2 IS como Key Manager versiones hasta 5.9.0. Se identific\u00f3 una potencial vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejado en la interfaz de usuario Management Console Policy Administration"
}
],
"id": "CVE-2020-14444",
"lastModified": "2024-11-21T05:03:17.577",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-18T18:15:11.107",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-14444-wso2.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0707"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-14444-wso2.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0707"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-27 16:15
Modified
2024-11-21 05:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 2.2.0 | |
| wso2 | api_manager_analytics | 2.2.0 | |
| wso2 | api_microgateway | 2.2.0 | |
| wso2 | data_analytics_server | 3.2.0 | |
| wso2 | enterprise_integrator | * | |
| wso2 | identity_server | 5.5.0 | |
| wso2 | identity_server | 5.8.0 | |
| wso2 | identity_server_analytics | 5.5.0 | |
| wso2 | identity_server_as_key_manager | 5.5.0 | |
| wso2 | iot_server | 3.3.0 | |
| wso2 | iot_server | 3.3.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6819491F-C6C3-41C1-B27A-0D0B62224977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ADEAF56C-4583-40A6-826F-01AC86191AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "79CDDE83-4CB6-4DA3-8E96-FCDA4F5C1E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:data_analytics_server:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CCDDFAB-C8FC-41C4-9872-667C442F119B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "16E39585-2B28-4631-A62F-27F17DC9AB4A",
"versionEndIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8DA0050E-D5DD-45E5-9F61-DC1BB060EFF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2B169832-A746-49A6-8E92-06624AA9B13A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "42BFE7A0-A168-4C1E-8725-41DD500C837E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4F0F121-700C-4D30-BAFC-960DCC56F08B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:iot_server:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FCAD802D-4746-49D2-AC21-7956F46274A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:iot_server:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "53EC589C-09C6-440C-AF9A-DD86A23311FE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en determinados productos WSO2. Se puede enviar una cookie de sesi\u00f3n v\u00e1lida de Carbon Management Console hacia un servidor controlado por el atacante si la v\u00edctima env\u00eda una petici\u00f3n Try It dise\u00f1ada, tambi\u00e9n se conoce como Session Hijacking. Esto afecta a API Manager versi\u00f3n 2.2.0, API Manager Analytics versi\u00f3n 2.2.0, API Microgateway versi\u00f3n 2.2.0, Data Analytics Server versi\u00f3n 3.2.0, Enterprise Integrator versiones hasta 6.6.0, IS as Key Manager versi\u00f3n 5.5.0, Identity Server versiones 5.5.0 y 5.8 .0, Identity Server Analytics versi\u00f3n 5.5.0 y IoT Server versiones 3.3.0 y 3.3.1"
}
],
"id": "CVE-2020-24703",
"lastModified": "2024-11-21T05:15:52.450",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-27T16:15:11.583",
"references": [
{
"source": "cve@mitre.org",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0687/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0687/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-18 22:15
Modified
2025-04-03 18:54
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | * | |
| wso2 | enterprise_integrator | * | |
| wso2 | identity_server | * | |
| wso2 | identity_server_analytics | 5.4.0 | |
| wso2 | identity_server_analytics | 5.4.1 | |
| wso2 | identity_server_analytics | 5.5.0 | |
| wso2 | identity_server_analytics | 5.6.0 | |
| wso2 | identity_server_as_key_manager | * | |
| wso2 | open_banking_am | * | |
| wso2 | open_banking_iam | 2.0.0 | |
| wso2 | open_banking_km | * |
{
"cisaActionDue": "2022-05-16",
"cisaExploitAdd": "2022-04-25",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "WSO2 Multiple Products Unrestrictive Upload of File Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0460F2B-2C36-4C93-85B6-7810E9C5B68F",
"versionEndIncluding": "4.0.0",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "054C6F0A-DC86-4CFC-B304-7BC93B708494",
"versionEndIncluding": "6.6.0",
"versionStartIncluding": "6.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F16D1A0F-F00F-4471-A11A-7C3D6B83E7CB",
"versionEndIncluding": "5.11.0",
"versionStartIncluding": "5.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C32F5725-22BA-417A-B2A6-F120CA377E39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B388C2B1-89EF-4D16-AD6A-675BDC6E3854",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "42BFE7A0-A168-4C1E-8725-41DD500C837E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5508EC5E-BEEA-49A7-BA2E-AEF40ECCB5C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "77334E1B-A4C9-40A1-8ED9-7123476817E5",
"versionEndIncluding": "5.10.0",
"versionStartIncluding": "5.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_am:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3B9E4BCA-7BD2-442F-B99B-734232249C04",
"versionEndIncluding": "2.0.0",
"versionStartIncluding": "1.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7C241A3-8EA0-41E4-ABF3-21B9D8E7A5BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_km:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A8364191-344F-4F73-A9CF-2516F24E856C",
"versionEndIncluding": "1.5.0",
"versionStartIncluding": "1.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0."
},
{
"lang": "es",
"value": "Algunos productos WSO2 permiten la carga de archivos sin restricciones con la consiguiente ejecuci\u00f3n remota de c\u00f3digo. El atacante debe utilizar un endpoint /fileupload con una secuencia de recorrido de directorio Content-Disposition para alcanzar un directorio bajo la ra\u00edz web, como un directorio ../../../../repositorio/despliegue/servidor/webapps. Esto afecta a WSO2 API Manager 2.2.0 y superior hasta 4.0.0; WSO2 Identity Server 5.2.0 y superior hasta 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 y 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 y superior hasta 5.10.0; y WSO2 Enterprise Integrator 6.2.0 y superior hasta 6.6.0"
}
],
"id": "CVE-2022-29464",
"lastModified": "2025-04-03T18:54:31.780",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-18T22:15:09.027",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/04/22/7"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/hakivvi/CVE-2022-29464"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/04/22/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/hakivvi/CVE-2022-29464"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-27 16:15
Modified
2024-11-21 05:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | * | |
| wso2 | api_manager_analytics | 2.5.0 | |
| wso2 | identity_server | * | |
| wso2 | identity_server_analytics | * | |
| wso2 | identity_server_as_key_manager | * | |
| wso2 | iot_server | 3.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E2E71049-86F8-479F-8D9D-2D67B2CC6EB4",
"versionEndIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04A2A50A-872E-4CC7-BBB7-3E0956176AAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5601E5C8-011F-4FF3-A327-3B2D637EAC79",
"versionEndIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:*:*:*:*:*:*:*:*",
"matchCriteriaId": "05810F17-3BC8-400A-92BF-0D51E3580409",
"versionEndIncluding": "5.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78933A5F-C186-47B9-8EC3-161C4451B719",
"versionEndIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:iot_server:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "663657FF-9D02-49A2-B988-315D52D7E220",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en determinados productos WSO2. Se puede enviar una cookie de sesi\u00f3n v\u00e1lida de Carbon Management Console hacia un servidor controlado por el atacante si la v\u00edctima env\u00eda una petici\u00f3n Try It dise\u00f1ada, tambi\u00e9n se conoce como Session Hijacking. Esto afecta a API Manager versiones hasta 3.1.0, API Manager Analytics versi\u00f3n 2.5.0, IS as Key Manager versiones hasta 5.10.0, Identity Server versiones hasta 5.10.0, Identity Server Analytics versiones hasta 5.6.0 e IoT Server 3.1.0"
}
],
"id": "CVE-2020-24705",
"lastModified": "2024-11-21T05:15:52.763",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-27T16:15:11.753",
"references": [
{
"source": "cve@mitre.org",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-09-21 18:29
Modified
2025-04-20 01:37
Severity ?
Summary
WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265 | Patch, Vendor Advisory | |
| cve@mitre.org | https://github.com/cybersecurityworks/Disclosed/issues/15 | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/cybersecurityworks/Disclosed/issues/15 | Exploit, Technical Description, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 2.1.0 | |
| wso2 | app_manager | 1.2.0 | |
| wso2 | application_server | 5.3.0 | |
| wso2 | business_process_server | 3.6.0 | |
| wso2 | business_rules_server | 2.2.0 | |
| wso2 | complex_event_processor | 4.2.0 | |
| wso2 | dashboard_server | 2.0.0 | |
| wso2 | data_analytics_server | 3.1.0 | |
| wso2 | data_services_server | 3.5.1 | |
| wso2 | enterprise_integrator | 6.1.1 | |
| wso2 | enterprise_mobility_manager | 2.2.0 | |
| wso2 | governance_registry | 5.4.0 | |
| wso2 | identity_server | 5.3.0 | |
| wso2 | iot_server | 3.0.0 | |
| wso2 | machine_learner | 1.2.0 | |
| wso2 | message_broker | 3.2.0 | |
| wso2 | storage_server | 1.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "245D4EB1-F69D-4FAF-94DB-F4B3D3C20539",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:app_manager:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DD697F16-E1A2-4320-A76E-794B05D3620B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:application_server:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8891BAB1-C357-4BC7-8B7A-541B9698F0A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:business_process_server:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E1F3AA02-B597-4C9F-936A-A4DC91F590B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:business_rules_server:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5435A911-096A-4DEE-9E04-1D3CBF4D98D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:complex_event_processor:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "397D6C9B-62A5-42FC-AB3B-C03598C25A7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:dashboard_server:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AF5FB891-085E-4777-B771-1CDC367B8848",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:data_analytics_server:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "941D83A5-1978-49AE-890D-E31980E2D6AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:data_services_server:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DEC72298-39AC-450F-8419-951057332163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA3B48BB-ECB5-4A94-B76D-97BC3D303E9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_mobility_manager:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A9D6FCEF-7685-42DD-B322-AD87B5F37574",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:governance_registry:5.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C7B815FD-E12D-46CE-94B3-06ED2C75285D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0375C318-ECD2-4657-A0D7-4A0708266FBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:iot_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "00E81462-A034-4540-A086-7D836C6B17E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:machine_learner:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CE333EE1-8158-40AF-8367-ACDCAA498516",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:message_broker:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C8E3ADAB-067C-4D18-BDCA-43DDC607E4BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:storage_server:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0036440-3C00-4776-8DF6-AC30256EADBD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter."
},
{
"lang": "es",
"value": "WSO2 Data Analytics Server 3.1.0 tiene una vulnerabilidad de tipo Cross-Site Scripting (XSS) en carbon/resources/add_collection_ajaxprocessor.jsp mediante los par\u00e1metros collectionName o parentPath."
}
],
"id": "CVE-2017-14651",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-21T18:29:00.167",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/15"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-15 10:15
Modified
2025-06-05 09:15
Severity ?
8.5 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
8.2 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
8.2 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Summary
Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met:
* An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option.
* A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled.
Attacker should have:
* A fresh valid user account in the federated IDP that has not been used earlier.
* Knowledge of the username of a valid user in the local IDP.
When all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E62ACAB4-6529-471C-B745-28407BA3A0C5",
"versionEndExcluding": "2.5.0.32",
"versionStartIncluding": "2.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E4AB4A2D-D94C-453A-BC20-ACABBCBAECBC",
"versionEndExcluding": "2.6.0.52",
"versionStartIncluding": "2.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B6E26E38-DEAB-46ED-847A-C0F6B56BA851",
"versionEndExcluding": "3.0.0.50",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4BAA5AB2-23D0-43B2-8074-15A92958379F",
"versionEndExcluding": "3.1.0.72",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F4C51C15-36D9-4C24-A0E5-19455802595F",
"versionEndExcluding": "3.2.0.86",
"versionStartIncluding": "3.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E3AF9FC6-07A6-4A23-8F21-8CF1406991D5",
"versionEndExcluding": "4.0.0.35",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "47875554-4BA7-47AB-AFE6-577128444FC9",
"versionEndExcluding": "5.6.0.16",
"versionStartIncluding": "5.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B1A501D3-3159-4651-A354-BE63C2E4EF13",
"versionEndExcluding": "5.7.0.35",
"versionStartIncluding": "5.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5468F1F-BD90-4782-A6F4-ADC13F503EBC",
"versionEndExcluding": "5.8.0.26",
"versionStartIncluding": "5.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EBA067AC-25AC-4598-93E2-FCFF0B141F49",
"versionEndExcluding": "5.9.0.38",
"versionStartIncluding": "5.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F98C4F7D-2620-4379-BED9-DFA947472980",
"versionEndExcluding": "5.10.0.78",
"versionStartIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92C02A2C-8F3D-441A-B592-B98CBEF965C8",
"versionEndExcluding": "5.11.0.69",
"versionStartIncluding": "5.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A6592F46-7874-4CC0-8E4D-A444E12218CA",
"versionEndExcluding": "5.6.0.17",
"versionStartIncluding": "5.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "35351011-04FA-4DC8-81B9-27DFD613A7EB",
"versionEndExcluding": "5.7.0.39",
"versionStartIncluding": "5.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B16BE871-1EAD-4D6B-A915-759D3549BD62",
"versionEndExcluding": "5.9.0.45",
"versionStartIncluding": "5.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "47CE52D2-CA37-477D-B799-D6CF6E521758",
"versionEndExcluding": "5.10.0.80",
"versionStartIncluding": "5.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:carbon_identity_application_authentication_endpoint:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F57CC816-9AAA-48FD-AD1C-5D9101F852E3",
"versionEndExcluding": "5.11.256.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:carbon_identity_application_authentication_endpoint:*:*:*:*:*:*:*:*",
"matchCriteriaId": "750A4AB8-90EC-4A1E-BC77-C024A92AF58E",
"versionEndExcluding": "5.12.153.19",
"versionStartIncluding": "5.11.257.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:carbon_identity_application_authentication_endpoint:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E1B2D11D-6E17-4D27-93A7-ACBE6D937DF7",
"versionEndExcluding": "5.20.254",
"versionStartIncluding": "5.12.154.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:carbon_identity_application_authentication_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC342DD8-0D3D-4D27-82C6-799931EB2434",
"versionEndExcluding": "5.11.256.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:carbon_identity_application_authentication_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6EBE458F-D40E-4353-839F-682695126FB4",
"versionEndExcluding": "5.12.153.21",
"versionStartIncluding": "5.11.257.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:carbon_identity_application_authentication_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D7917C09-061E-4CB9-9AFA-A11C586C9AEC",
"versionEndExcluding": "5.12.387.7",
"versionStartIncluding": "5.12.154.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:carbon_identity_application_authentication_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6679CD05-D6F0-4523-AC3C-F3A0DC014B21",
"versionEndExcluding": "5.14.97.22",
"versionStartIncluding": "5.12.388.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:carbon_identity_application_authentication_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "38C3DCF6-0E1D-4D4D-BC93-5C099178F3A5",
"versionEndExcluding": "5.17.5.106",
"versionStartIncluding": "5.14.98.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:carbon_identity_application_authentication_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5DD3DC78-1770-4282-8C7F-7C6AE23E29CA",
"versionEndExcluding": "5.18.187.76",
"versionStartIncluding": "5.17.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:carbon_identity_application_authentication_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F64F48D-1AEF-44D8-89A6-590040350783",
"versionEndExcluding": "5.20.254",
"versionStartIncluding": "5.18.188.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met:\n\n * An IDP configured for federated authentication and JIT provisioning enabled with the \"Prompt for username, password and consent\" option.\n * A service provider that uses the above IDP for federated authentication and has the \"Assert identity using mapped local subject identifier\" flag enabled.\n\n\nAttacker should have:\n\n * A fresh valid user account in the federated IDP that has not been used earlier.\n * Knowledge of the username of a valid user in the local IDP.\n\n\nWhen all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation."
},
{
"lang": "es",
"value": "Se han identificado varios productos WSO2 como vulnerables para realizar suplantaciones de usuarios mediante el aprovisionamiento JIT. Para que esta vulnerabilidad tenga alg\u00fan impacto en su implementaci\u00f3n, se deben cumplir las siguientes condiciones: * Un IDP configurado para autenticaci\u00f3n federada y aprovisionamiento JIT habilitado con la opci\u00f3n \"Solicitar nombre de usuario, contrase\u00f1a y consentimiento\". * Un proveedor de servicios que utiliza el IDP anterior para la autenticaci\u00f3n federada y tiene habilitada la opci\u00f3n \"Afirmar identidad utilizando un identificador de sujeto local asignado\". El atacante debe tener: * Una cuenta de usuario nueva y v\u00e1lida en el IDP federado que no se haya utilizado anteriormente. * Conocimiento del nombre de usuario de un usuario v\u00e1lido en el IDP local. Cuando se cumplen todas las condiciones previas, un actor malintencionado podr\u00eda utilizar el flujo de aprovisionamiento JIT para realizar la suplantaci\u00f3n de usuario."
}
],
"id": "CVE-2023-6837",
"lastModified": "2025-06-05T09:15:21.813",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.7,
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.8,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-15T10:15:09.767",
"references": [
{
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573/"
}
],
"sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-12-07 21:15
Modified
2024-11-21 06:14
Severity ?
Summary
In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.)
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 3.0.0 | |
| wso2 | api_manager | 3.1.0 | |
| wso2 | api_manager | 3.2.0 | |
| wso2 | api_manager | 4.0.0 | |
| wso2 | identity_server | 5.7.0 | |
| wso2 | identity_server | 5.8.0 | |
| wso2 | identity_server | 5.9.0 | |
| wso2 | identity_server | 5.10.0 | |
| wso2 | identity_server | 5.11.0 | |
| wso2 | identity_server_as_key_manager | 5.3.0 | |
| wso2 | identity_server_as_key_manager | 5.5.0 | |
| wso2 | identity_server_as_key_manager | 5.6.0 | |
| wso2 | identity_server_as_key_manager | 5.7.0 | |
| wso2 | identity_server_as_key_manager | 5.9.0 | |
| wso2 | identity_server_as_key_manager | 5.10.0 | |
| wso2 | iot_server | 3.3.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF14774-8935-4FC9-B5C8-9771B3D6EBFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60781FE4-38A3-4FEA-9D8B-CADE4B535974",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2B169832-A746-49A6-8E92-06624AA9B13A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "981D701D-E381-484A-9614-CD0EF0331071",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2153AECE-020A-4C01-B2A6-F9F5D98E7EBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "104DBA04-538E-4CC5-9B6C-CFEDB40375AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4F0F121-700C-4D30-BAFC-960DCC56F08B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E5761F7-C287-4EC4-A899-C54FB4E80A35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3B184BFC-8E1A-4971-B6D2-C594742AB8CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EA51AC1B-0BF6-44F6-B034-CAD4F623DD76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6BB34405-A2F1-461A-B51B-E103BB3680A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:iot_server:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "53EC589C-09C6-440C-AF9A-DD86A23311FE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.)"
},
{
"lang": "es",
"value": "En el archivo accountrecoveryendpoint/recoverpassword.do en WSO2 Identity Server versi\u00f3n 5.7.0, es posible llevar a cabo un ataque de tipo XSS basado en DOM que afecta al par\u00e1metro callback modificando la URL que precede al par\u00e1metro callback. Una vez que el procedimiento de restablecimiento del nombre de usuario o de la contrase\u00f1a ha sido completado, el c\u00f3digo JavaScript ser\u00e1 ejecutado. (recoverpassword.do tambi\u00e9n presenta un problema de redireccionamiento abierto por un motivo similar)"
}
],
"id": "CVE-2021-36760",
"lastModified": "2024-11-21T06:14:02.127",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-07T21:15:08.297",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/2021+Advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1314"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/2021+Advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1314"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-02-17 02:59
Modified
2025-04-20 01:37
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 allows remote attackers to hijack the authentication of privileged users for requests that process XACML requests via an entitlement/eval-policy-submit.jsp request.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | identity_server | 5.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A18E2C98-4FD9-43EE-95EA-E03AFCF753E3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 allows remote attackers to hijack the authentication of privileged users for requests that process XACML requests via an entitlement/eval-policy-submit.jsp request."
},
{
"lang": "es",
"value": "Vulnerabilidad de CSRF en la funcionalidad de flujo XACML en WSO2 Identity Server 5.1.0 permite a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios privilegiados para solicitudes que procesan solicitudes XACML a trav\u00e9s de una solicitud entitlement/eval-policy-submit.jsp."
}
],
"id": "CVE-2016-4311",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-02-17T02:59:11.907",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt"
},
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html"
},
{
"source": "cret@cert.org",
"url": "http://www.securityfocus.com/archive/1/539199/100/0/threaded"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92485"
},
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40239/"
},
{
"source": "nvd@nist.gov",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/539199/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92485"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40239/"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-21 02:15
Modified
2024-11-21 06:59
Severity ?
4.6 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 2.2.0 | |
| wso2 | api_manager | 2.5.0 | |
| wso2 | api_manager | 2.6.0 | |
| wso2 | api_manager | 3.0.0 | |
| wso2 | api_manager | 3.1.0 | |
| wso2 | api_manager | 3.2.0 | |
| wso2 | api_manager | 4.0.0 | |
| wso2 | api_manager_analytics | 2.2.0 | |
| wso2 | api_manager_analytics | 2.5.0 | |
| wso2 | api_manager_analytics | 2.6.0 | |
| wso2 | api_microgateway | 2.2.0 | |
| wso2 | data_analytics_server | 3.2.0 | |
| wso2 | enterprise_integrator | 6.2.0 | |
| wso2 | enterprise_integrator | 6.3.0 | |
| wso2 | enterprise_integrator | 6.4.0 | |
| wso2 | enterprise_integrator | 6.5.0 | |
| wso2 | enterprise_integrator | 6.6.0 | |
| wso2 | identity_server | 5.5.0 | |
| wso2 | identity_server | 5.6.0 | |
| wso2 | identity_server | 5.7.0 | |
| wso2 | identity_server | 5.9.0 | |
| wso2 | identity_server | 5.10.0 | |
| wso2 | identity_server | 5.11.0 | |
| wso2 | identity_server_analytics | 5.5.0 | |
| wso2 | identity_server_analytics | 5.6.0 | |
| wso2 | identity_server_as_key_manager | 5.5.0 | |
| wso2 | identity_server_as_key_manager | 5.6.0 | |
| wso2 | identity_server_as_key_manager | 5.7.0 | |
| wso2 | identity_server_as_key_manager | 5.9.0 | |
| wso2 | identity_server_as_key_manager | 5.10.0 | |
| wso2 | micro_integrator | 1.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6819491F-C6C3-41C1-B27A-0D0B62224977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0D57C8CF-084D-4142-9AF1-7C9F1261A3BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BC168B6A-B15A-4C3B-A38D-C0B65F24F333",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF14774-8935-4FC9-B5C8-9771B3D6EBFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ADEAF56C-4583-40A6-826F-01AC86191AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04A2A50A-872E-4CC7-BBB7-3E0956176AAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "839D1F1E-E921-4DA0-951D-E62607BB2B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "79CDDE83-4CB6-4DA3-8E96-FCDA4F5C1E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:data_analytics_server:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CCDDFAB-C8FC-41C4-9872-667C442F119B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "66292C25-B0B9-4FCE-9382-57B8F6BB814A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "709DC7EA-18A6-4B83-84CB-F2499BEB5D2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "18E8577A-B322-4A70-B8AB-9DE45EFDF229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4FCA89E3-F37E-494E-AD46-B9A04E608908",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4A07C73-3E6B-4CF9-BEB9-39C6081C0332",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8DA0050E-D5DD-45E5-9F61-DC1BB060EFF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "26542F95-73F3-4906-838E-A66F5DC9DFA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60781FE4-38A3-4FEA-9D8B-CADE4B535974",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "981D701D-E381-484A-9614-CD0EF0331071",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2153AECE-020A-4C01-B2A6-F9F5D98E7EBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "42BFE7A0-A168-4C1E-8725-41DD500C837E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5508EC5E-BEEA-49A7-BA2E-AEF40ECCB5C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4F0F121-700C-4D30-BAFC-960DCC56F08B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E5761F7-C287-4EC4-A899-C54FB4E80A35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3B184BFC-8E1A-4971-B6D2-C594742AB8CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EA51AC1B-0BF6-44F6-B034-CAD4F623DD76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6BB34405-A2F1-461A-B51B-E103BB3680A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:micro_integrator:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A690D484-8402-4D45-833D-373D1713FA49",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0."
},
{
"lang": "es",
"value": "Se presenta un problema de tipo XSS reflejado en la Consola de Administraci\u00f3n de varios productos WSO2. Esto afecta a API Manager versiones 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 y 4.0.0; API Manager Analytics versiones 2.2.0, 2.5.0 y 2.6.0; API Microgateway versi\u00f3n 2.2.0; Data Analytics Server versi\u00f3n 3.2.0; Enterprise Integrator versiones 6.2.0, 6.3.0, 6.4. 0, 6.5.0 y 6.6.0; IS as Key Manager versiones 5.5.0, 5.6.0, 5.7.0, 5.9.0 y 5.10.0; Identity Server versiones 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0 y 5.11.0; Identity Server Analytics versiones 5.5.0 y 5.6.0; y WSO2 Micro Integrator versi\u00f3n 1.0.0"
}
],
"id": "CVE-2022-29548",
"lastModified": "2024-11-21T06:59:18.107",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-21T02:15:06.800",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167587/WSO2-Management-Console-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603"
},
{
"source": "cve@mitre.org",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1603/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167587/WSO2-Management-Console-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1603/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-18 18:15
Modified
2024-11-21 05:03
Severity ?
Summary
An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console Basic Policy Editor user Interface.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cybersecurityworks.com/zerodays/cve-2020-14445-wso2.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0711 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurityworks.com/zerodays/cve-2020-14445-wso2.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0711 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | identity_server | * | |
| wso2 | identity_server_as_key_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C7BA1880-6A40-457D-8FF3-2C1658398F98",
"versionEndIncluding": "5.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "417D475B-B552-4923-855E-B6DEDD609C86",
"versionEndIncluding": "5.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console Basic Policy Editor user Interface."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en WSO2 Identity Server versiones hasta 5.9.0 y WSO2 IS como Key Manager versiones hasta 5.9.0. Se ha identificado una potencial vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejado en la interfaz de usuario Management Console Basic Policy Editor"
}
],
"id": "CVE-2020-14445",
"lastModified": "2024-11-21T05:03:17.743",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.3,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-18T18:15:11.170",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-14445-wso2.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0711"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-14445-wso2.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0711"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-18 09:15
Modified
2024-11-21 08:44
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6819491F-C6C3-41C1-B27A-0D0B62224977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0D57C8CF-084D-4142-9AF1-7C9F1261A3BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BC168B6A-B15A-4C3B-A38D-C0B65F24F333",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF14774-8935-4FC9-B5C8-9771B3D6EBFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ADEAF56C-4583-40A6-826F-01AC86191AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04A2A50A-872E-4CC7-BBB7-3E0956176AAC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "79CDDE83-4CB6-4DA3-8E96-FCDA4F5C1E93",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:data_analytics_server:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CCDDFAB-C8FC-41C4-9872-667C442F119B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D64106E7-1956-4AAA-915F-7E6DB7461BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA3B48BB-ECB5-4A94-B76D-97BC3D303E9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "66292C25-B0B9-4FCE-9382-57B8F6BB814A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "709DC7EA-18A6-4B83-84CB-F2499BEB5D2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "18E8577A-B322-4A70-B8AB-9DE45EFDF229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4FCA89E3-F37E-494E-AD46-B9A04E608908",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4A07C73-3E6B-4CF9-BEB9-39C6081C0332",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4F0F121-700C-4D30-BAFC-960DCC56F08B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E5761F7-C287-4EC4-A899-C54FB4E80A35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3B184BFC-8E1A-4971-B6D2-C594742AB8CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EA51AC1B-0BF6-44F6-B034-CAD4F623DD76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6BB34405-A2F1-461A-B51B-E103BB3680A1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B9E7D773-A7CE-4AB8-828B-C2E7DC2799AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CEA63B98-D4B4-4FCD-A869-FE64BC21A1B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8DA0050E-D5DD-45E5-9F61-DC1BB060EFF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "26542F95-73F3-4906-838E-A66F5DC9DFA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60781FE4-38A3-4FEA-9D8B-CADE4B535974",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2B169832-A746-49A6-8E92-06624AA9B13A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "981D701D-E381-484A-9614-CD0EF0331071",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C32F5725-22BA-417A-B2A6-F120CA377E39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B388C2B1-89EF-4D16-AD6A-675BDC6E3854",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "42BFE7A0-A168-4C1E-8725-41DD500C837E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5508EC5E-BEEA-49A7-BA2E-AEF40ECCB5C8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:message_broker:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C8E3ADAB-067C-4D18-BDCA-43DDC607E4BA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console.\n"
},
{
"lang": "es",
"value": "Se han identificado varios productos WSO2 como vulnerables debido a una codificaci\u00f3n de salida incorrecta; un atacante puede llevar a cabo un ataque de Cross-Site Scripting (XSS) Almacenado inyectando un payload malicioso en la funci\u00f3n de registro de Management Console."
}
],
"id": "CVE-2023-6911",
"lastModified": "2024-11-21T08:44:49.210",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-18T09:15:05.810",
"references": [
{
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1225/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1225/"
}
],
"sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-28 00:15
Modified
2024-11-21 04:38
Severity ?
Summary
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in mediaType has been identified in the registry UI.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cybersecurityworks.com/zerodays/cve-2019-20443-wso2.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636 | Vendor Advisory | |
| cve@mitre.org | https://github.com/cybersecurityworks/Disclosed/issues/26 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurityworks.com/zerodays/cve-2019-20443-wso2.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/cybersecurityworks/Disclosed/issues/26 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 2.6.0 | |
| wso2 | enterprise_integrator | 6.5.0 | |
| wso2 | identity_server | 5.7.0 | |
| wso2 | identity_server | 5.8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BC168B6A-B15A-4C3B-A38D-C0B65F24F333",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4FCA89E3-F37E-494E-AD46-B9A04E608908",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60781FE4-38A3-4FEA-9D8B-CADE4B535974",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2B169832-A746-49A6-8E92-06624AA9B13A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in mediaType has been identified in the registry UI."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en WSO2 API Manager versi\u00f3n 2.6.0, WSO2 Enterprise Integrator versi\u00f3n 6.5.0, WSO2 IS as Key Manager versi\u00f3n 5.7.0 y WSO2 Identity Server versi\u00f3n 5.8.0. Se identific\u00f3 una potencial vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenado en mediaType en la Interfaz de Usuario de registro."
}
],
"id": "CVE-2019-20443",
"lastModified": "2024-11-21T04:38:29.677",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 0.9,
"impactScore": 2.5,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-28T00:15:10.993",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20443-wso2.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/26"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20443-wso2.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/26"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-12 03:15
Modified
2024-11-21 04:33
Severity ?
Summary
WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | identity_server | 5.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60781FE4-38A3-4FEA-9D8B-CADE4B535974",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled."
},
{
"lang": "es",
"value": "WSO2 IS como Key Manager versi\u00f3n 5.7.0, permite un ataque de tipo XSS almacenado en el archivo download-userinfo.jag porque Content-Type es manejado inapropiadamente."
}
],
"id": "CVE-2019-18882",
"lastModified": "2024-11-21T04:33:46.260",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-12T03:15:10.807",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-03-21 16:00
Modified
2024-11-21 04:02
Severity ?
Summary
An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part of the product.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/978/files | Patch, Third Party Advisory | |
| cve@mitre.org | https://wso2.com/security-patch-releases/api-manager | Patch, Third Party Advisory, Vendor Advisory | |
| cve@mitre.org | https://www.excellium-services.com/cert-xlm-advisory/cve-2018-20737/ | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/978/files | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wso2.com/security-patch-releases/api-manager | Patch, Third Party Advisory, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.excellium-services.com/cert-xlm-advisory/cve-2018-20737/ | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 2.6.0 | |
| wso2 | identity_server | 5.7.0 | |
| wso2 | identity_server_as_key_manager | 5.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BC168B6A-B15A-4C3B-A38D-C0B65F24F333",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60781FE4-38A3-4FEA-9D8B-CADE4B535974",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3B184BFC-8E1A-4971-B6D2-C594742AB8CE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part of the product."
},
{
"lang": "es",
"value": "Se ha descubierto un problema en WSO2 API Manager 2.1.0 y 2.6.0. Existe Cross-Site Scripting (XSS) reflejado en la parte carbon de producto."
}
],
"id": "CVE-2018-20737",
"lastModified": "2024-11-21T04:02:04.200",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-03-21T16:00:37.843",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/978/files"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory",
"Vendor Advisory"
],
"url": "https://wso2.com/security-patch-releases/api-manager"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-20737/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/978/files"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory",
"Vendor Advisory"
],
"url": "https://wso2.com/security-patch-releases/api-manager"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-20737/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-28 00:15
Modified
2024-11-21 04:38
Severity ?
Summary
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in roleToAuthorize has been identified in the registry UI.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cybersecurityworks.com/zerodays/cve-2019-20442-wso2.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636 | Vendor Advisory | |
| cve@mitre.org | https://github.com/cybersecurityworks/Disclosed/issues/25 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurityworks.com/zerodays/cve-2019-20442-wso2.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/cybersecurityworks/Disclosed/issues/25 | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 2.6.0 | |
| wso2 | enterprise_integrator | 6.5.0 | |
| wso2 | identity_server | 5.7.0 | |
| wso2 | identity_server | 5.8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BC168B6A-B15A-4C3B-A38D-C0B65F24F333",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4FCA89E3-F37E-494E-AD46-B9A04E608908",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60781FE4-38A3-4FEA-9D8B-CADE4B535974",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2B169832-A746-49A6-8E92-06624AA9B13A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in roleToAuthorize has been identified in the registry UI."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en WSO2 API Manager versi\u00f3n 2.6.0, WSO2 Enterprise Integrator versi\u00f3n 6.5.0, WSO2 IS as Key Manager versi\u00f3n 5.7.0 y WSO2 Identity Server versi\u00f3n 5.8.0. Se identific\u00f3 una potencial vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenado en roleToAuthorize en la Interfaz de Usuario de registro."
}
],
"id": "CVE-2019-20442",
"lastModified": "2024-11-21T04:38:29.533",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 0.9,
"impactScore": 2.5,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-28T00:15:10.930",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20442-wso2.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/25"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20442-wso2.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/25"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-18 18:15
Modified
2024-11-21 05:03
Severity ?
Summary
An issue was discovered in WSO2 Identity Server through 5.10.0 and WSO2 IS as Key Manager through 5.10.0. An open redirect exists.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cybersecurityworks.com/zerodays/cve-2020-14446-wso2.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0713 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurityworks.com/zerodays/cve-2020-14446-wso2.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0713 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | identity_server | * | |
| wso2 | identity_server_as_key_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5601E5C8-011F-4FF3-A327-3B2D637EAC79",
"versionEndIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78933A5F-C186-47B9-8EC3-161C4451B719",
"versionEndIncluding": "5.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WSO2 Identity Server through 5.10.0 and WSO2 IS as Key Manager through 5.10.0. An open redirect exists."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en WSO2 Identity Server versiones hasta 5.10.0 y WSO2 IS como Key Manager versiones hasta 5.10.0. Se presenta un redireccionamiento abierto"
}
],
"id": "CVE-2020-14446",
"lastModified": "2024-11-21T05:03:17.897",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-18T18:15:11.247",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-14446-wso2.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0713"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-14446-wso2.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0713"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-27 16:15
Modified
2024-11-21 05:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | * | |
| wso2 | api_manager_analytics | 2.5.0 | |
| wso2 | identity_server | * | |
| wso2 | identity_server_analytics | * | |
| wso2 | identity_server_as_key_manager | * | |
| wso2 | iot_server | 3.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E2E71049-86F8-479F-8D9D-2D67B2CC6EB4",
"versionEndIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04A2A50A-872E-4CC7-BBB7-3E0956176AAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5601E5C8-011F-4FF3-A327-3B2D637EAC79",
"versionEndIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:*:*:*:*:*:*:*:*",
"matchCriteriaId": "05810F17-3BC8-400A-92BF-0D51E3580409",
"versionEndIncluding": "5.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78933A5F-C186-47B9-8EC3-161C4451B719",
"versionEndIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:iot_server:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "663657FF-9D02-49A2-B988-315D52D7E220",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en determinados productos WSO2. La herramienta Try It permite un ataque de tipo XSS Reflejado. Esto afecta a API Manager versiones hasta 3.1.0, API Manager Analytics versi\u00f3n 2.5.0, IS as Key Manager versiones hasta 5.10.0, Identity Server versiones hasta 5.10.0, Identity Server Analytics versiones hasta 5.6.0 y IoT Server versi\u00f3n 3.1.0"
}
],
"id": "CVE-2020-24706",
"lastModified": "2024-11-21T05:15:53.777",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-27T16:15:11.877",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0718"
},
{
"source": "cve@mitre.org",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0718"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-12 03:15
Modified
2024-11-21 04:33
Severity ?
Summary
WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | identity_server | 5.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60781FE4-38A3-4FEA-9D8B-CADE4B535974",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile."
},
{
"lang": "es",
"value": "WSO2 IS como Key Manager versi\u00f3n 5.7.0, permite un ataque de tipo XSS reflejado no autenticado en el perfil de usuario del panel."
}
],
"id": "CVE-2019-18881",
"lastModified": "2024-11-21T04:33:46.117",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-12T03:15:10.747",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0625"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-15 10:15
Modified
2024-11-21 08:44
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 3.1.0 | |
| wso2 | api_manager | 3.2.0 | |
| wso2 | identity_server_as_key_manager | 5.10.0 | |
| wso2 | identity_server | 5.10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6BB34405-A2F1-461A-B51B-E103BB3680A1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests.\n\n"
},
{
"lang": "es",
"value": "Vulnerabilidad XSS reflejada se puede explotar alterando un par\u00e1metro de solicitud en el endpoint de autenticaci\u00f3n. Esto se puede realizar tanto en solicitudes autenticadas como no autenticadas."
}
],
"id": "CVE-2023-6838",
"lastModified": "2024-11-21T08:44:39.153",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-15T10:15:10.000",
"references": [
{
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1233/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1233/"
}
],
"sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-28 01:15
Modified
2024-11-21 04:38
Severity ?
Summary
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. When a custom claim dialect with an XSS payload is configured in the identity provider basic claim configuration, that payload gets executed, if a user picks up that dialect's URI as the provisioning claim in the advanced claim configuration of the same Identity Provider. The attacker also needs to have privileges to log in to the management console, and to add and update identity provider configurations.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cybersecurityworks.com/zerodays/cve-2019-20437-wso2.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0635 | Vendor Advisory | |
| cve@mitre.org | https://github.com/cybersecurityworks/Disclosed/issues/20 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurityworks.com/zerodays/cve-2019-20437-wso2.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0635 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/cybersecurityworks/Disclosed/issues/20 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 2.6.0 | |
| wso2 | identity_server | 5.7.0 | |
| wso2 | identity_server | 5.8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BC168B6A-B15A-4C3B-A38D-C0B65F24F333",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60781FE4-38A3-4FEA-9D8B-CADE4B535974",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2B169832-A746-49A6-8E92-06624AA9B13A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. When a custom claim dialect with an XSS payload is configured in the identity provider basic claim configuration, that payload gets executed, if a user picks up that dialect\u0027s URI as the provisioning claim in the advanced claim configuration of the same Identity Provider. The attacker also needs to have privileges to log in to the management console, and to add and update identity provider configurations."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en WSO2 API Manager versi\u00f3n 2.6.0, WSO2 IS as Key Manager versi\u00f3n 5.7.0 y WSO2 Identity Server versi\u00f3n 5.8.0. Cuando un dialecto de reclamo personalizado con una carga \u00fatil de tipo XSS es establecido en la configuraci\u00f3n b\u00e1sica de reclamo del proveedor de identidad, esa carga \u00fatil es ejecutada, si un usuario recoge el URI de ese dialecto como el reclamo de aprovisionamiento en la configuraci\u00f3n de reclamo avanzada del mismo proveedor de identidad. El atacante tambi\u00e9n necesita contar con privilegios para iniciar sesi\u00f3n en la consola de administraci\u00f3n y para agregar y actualizar las configuraciones del proveedor de identidad."
}
],
"id": "CVE-2019-20437",
"lastModified": "2024-11-21T04:38:28.787",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-28T01:15:12.037",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20437-wso2.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0635"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/20"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20437-wso2.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0635"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/20"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-05 22:15
Modified
2024-11-21 05:08
Severity ?
Summary
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | * | |
| wso2 | api_manager_analytics | 2.2.0 | |
| wso2 | api_manager_analytics | 2.5.0 | |
| wso2 | api_manager_analytics | 2.6.0 | |
| wso2 | api_microgateway | 2.2.0 | |
| wso2 | enterprise_integrator | * | |
| wso2 | identity_server | * | |
| wso2 | identity_server_analytics | 5.4.0 | |
| wso2 | identity_server_analytics | 5.4.1 | |
| wso2 | identity_server_analytics | 5.5.0 | |
| wso2 | identity_server_analytics | 5.6.0 | |
| wso2 | identity_server_as_key_manager | 5.5.0 | |
| wso2 | identity_server_as_key_manager | 5.6.0 | |
| wso2 | identity_server_as_key_manager | 5.7.0 | |
| wso2 | identity_server_as_key_manager | 5.9.0 | |
| wso2 | identity_server_as_key_manager | 5.10.0 | |
| wso2 | micro_integrator | 1.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C1156A8D-E315-45CC-A53E-224CF9861371",
"versionEndIncluding": "3.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ADEAF56C-4583-40A6-826F-01AC86191AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04A2A50A-872E-4CC7-BBB7-3E0956176AAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "839D1F1E-E921-4DA0-951D-E62607BB2B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "79CDDE83-4CB6-4DA3-8E96-FCDA4F5C1E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "16E39585-2B28-4631-A62F-27F17DC9AB4A",
"versionEndIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5601E5C8-011F-4FF3-A327-3B2D637EAC79",
"versionEndIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C32F5725-22BA-417A-B2A6-F120CA377E39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B388C2B1-89EF-4D16-AD6A-675BDC6E3854",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "42BFE7A0-A168-4C1E-8725-41DD500C837E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5508EC5E-BEEA-49A7-BA2E-AEF40ECCB5C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4F0F121-700C-4D30-BAFC-960DCC56F08B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E5761F7-C287-4EC4-A899-C54FB4E80A35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3B184BFC-8E1A-4971-B6D2-C594742AB8CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EA51AC1B-0BF6-44F6-B034-CAD4F623DD76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6BB34405-A2F1-461A-B51B-E103BB3680A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:micro_integrator:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A690D484-8402-4D45-833D-373D1713FA49",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter."
},
{
"lang": "es",
"value": "WSO2 Management Console versiones hasta 5.10, permite un ataque de tipo XSS por medio del par\u00e1metro msgId en el archivo carbon/admin/login.jsp"
}
],
"id": "CVE-2020-17453",
"lastModified": "2024-11-21T05:08:08.883",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-05T22:15:12.633",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/JHHAX/CVE-2020-17453-PoC"
},
{
"source": "cve@mitre.org",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1132/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://twitter.com/JacksonHHax/status/1374681422678519813"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/JHHAX/CVE-2020-17453-PoC"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1132/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://twitter.com/JacksonHHax/status/1374681422678519813"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}