Published: 17th August 2020
CVSS Score: XSS: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
WSO2 API Manager : 3.12.0 or earlier
WSO2 API Manager Analytics : 2.5.0
WSO2 IS as Key Manager : 5.10.0 or earlier
WSO2 Identity Server : 5.10.0 or earlier
WSO2 Identity Server Analytics : 5.6.0 or earlier
WSO2 IoT Server : 3.1.0
You may also apply the relevant fixes based on the changes from the public fix: https://github.com/wso2/carbon-kernel/pull/2669, https://github.com/wso2/carbon-kernel/pull/2663, https://github.com/wso2/carbon-kernel/pull/2662
If you are a WSO2 customer with Support Subscription, please use WSO2 Update Manager (WUM) updates in order to apply the fix.
2020-09-24: API Manager 3.2.0 added to the affected product list.
WSO2 thanks, Krzysztof Przybylski for responsibly reporting the identified issue and working with us as we addressed it.