Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Published: 12th October 2020

Version: 1.0.0

Severity: Medium

CVSS Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)


AFFECTED PRODUCTS

WSO2 API Manager : 3.2.0 or earlier


OVERVIEW

Self Cross-Site Scripting (XSS) vulnerability in the API Manager Admin Portal.


DESCRIPTION

Self Cross-Site Scripting (XSS) vulnerability can be exploited when changing the application owner by sending a request with a malicious payload.


IMPACT

By leveraging the Self Cross-Site Scripting (XSS) vulnerability in the API Manager Admin Portal, an attacker could persuade an admin user using Social Engineering to submit a malicious payload and get the user redirected to an attacker controlled page where a phishing attack could be executed to obtain highly sensitive information or conduct further attacks against the victim.


SOLUTION

If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.

You may also apply the relevant fixes based on the changes from the public fix: https://github.com/wso2/carbon-apimgt/pull/9011

Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Update Manager (WUM) updates in order to apply the fix.


CREDITS

WSO2 thanks, Zakaria BRAHIMI for responsibly reporting the identified issue and working with us as we addressed it.

  • No labels