Published: 12th October 2020
CVSS Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
WSO2 API Manager : 3.1.0 or earlier
Self Cross-Site Scripting (XSS) vulnerability in the API Manager Admin Portal.
Self Cross-Site Scripting (XSS) vulnerability can be exploited when changing the application owner by sending a request with a malicious payload.
By leveraging the Self Cross-Site Scripting (XSS) vulnerability in the API Manager Admin Portal, an attacker could persuade an admin user using Social Engineering to submit a malicious payload and get the user redirected to an attacker controlled page where a phishing attack could be executed to obtain highly sensitive information or conduct further attacks against the victim.
If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.
You may also apply the relevant fixes based on the changes from the public fix: https://github.com/wso2/carbon-apimgt/pull/9011
Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Update Manager (WUM) updates in order to apply the fix.
WSO2 thanks, Zakaria BRAHIMI for responsibly reporting the identified issue and working with us as we addressed it.