Skip to end of metadata
Go to start of metadata

Published: 30th September 2016


WSO2 API Manager 2.0.0

WSO2 Message Broker 3.1.0


Carbon Metrics UI of above WSO2 products is vulnerable to reflected XSS attacks.


Several XSS vulnerabilities were discovered in the Carbon Metrics component of WSO2 products. An attacker can possibly attack the management console, via that component, using reflected XSS. He can inject malicious scripts as a part of the URL which will be reflected in that component’s pages.



An attacker aware of the management console origin can include malicious content in a request to Carbon Metrics UI pages, and trick a user to click the malicious content via email or a neutral web site. This reflects the attack back to the user’s browser and will execute the injected code, which may generate malicious page results that will mislead the victim or harm otherwise.


Apply the following patch based on your product versions by following the instructions in the README file. Patches can also be downloaded from http://wso2.com/security-patch-releases/.

If you have any questions, please post them to [email protected].

AMWSO2 API Manager2.0.0


MBWSO2 Message Broker3.1.0

  • No labels