Skip to end of metadata
Go to start of metadata

Published: 02nd December 2019

Severity: Medium

CVSS Score: 5.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L)


WSO2 API Manager

WSO2 API Manager Analytics

WSO2 Enterprise Integrator

WSO2 IS as Key Manager

WSO2 Identity Server

WSO2 Identity Server Analytics


A potential Cross-site Scripting (XSS) vulnerability has been identified in the management console.


This vulnerability can be exploited when adding a user store for the description field in queues by injecting malicious script as the user input through the management console.


By leveraging an XSS attack, an attacker can make the browser get redirected to a malicious website, make changes in the UI of the web page, retrieve information from the browser or harm otherwise. However, since all the session related sensitive cookies are set with httpOnly flag and protected, session hijacking or similar attack would not be possible.


Upgrade the affected products to the following versions or higher released version which is not affected by this vulnerability.  If you have any questions, post them to [email protected].



Safe version

AMWSO2 API Manager3.0.0
AM-Analytics WSO2 API Manager Analytics2.6.0
EIWSO2 Enterprise Integrator6.5.0
IS KMWSO2 IS as Key Manager5.9.0
ISWSO2 Identity Server5.8.0
IS-AnalyticsWSO2 Identity Server Analytics5.7.0

Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Update Manager (WUM) updates in order to apply the fix to the affected versions.


If you are using newer versions of affected products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed. 

It is highly recommended to migrate older versions of the WSO2 products to the latest released version to receive security fixes.

  • No labels