||
Skip to end of metadata
Go to start of metadata

Published: 30th September 2016


AFFECTED PRODUCTS

WSO2 Dashboard Server 2.0.0

WSO2 Enterprise Mobility Manager 2.0.1


OVERVIEW

Login page of the “authenticationendpoint” web application of the above mentioned WSO2 Servers is vulnerable to XSS attacks.


DESCRIPTION

Login page hosted in the WSO2 server’s “authenticationendpoint” web application is vulnerable to reflected XSS attacks, which enables attackers to inject client side scripts into that page. The respective page used a weak output encoding mechanism which was not sufficient to escape malicious user inputs properly.

 

IMPACT

An attacker aware of the authentication endpoint origin can include malicious content in a request to login page and trick a user to click the malicious content via email or a neutral web site. This reflects the attack back to the user’s browser and will execute the injected code, which may generate malicious page results that will mislead the victim or harm otherwise.


SOLUTION

Apply the following patch, based on your product versions by following the instructions in the README file. Patches can also be downloaded from http://wso2.com/security-patch-releases/. If you have any questions, please post them to security@wso2.com.


CodeProductVersionPatch
DSWSO2 Dashboard Server2.0.0WSO2-CARBON-PATCH-4.4.0-0421
EMMWSO2 Enterprise Mobility Manager2.0.1
  • No labels