Securin Zero-Days
CVE-2019-20437 - Stored Cross-Site Scripting in WSO2 Product
Description
A vulnerability was discovered on WSO2 products in the management console. A stored cross-site script (XSS) vulnerability allows an attacker to execute the malicious code if there is a claim dialect configured with an XSS payload in the dialect URI, if a user picks up the malicious dialect URI, and adds it as the service provider claim dialect while configuring the service provider.
*Affected Products: WSO2 API Manager, WSO2 API Manager Analytics, WSO2 IS as Key Manager, WSO2 Identity Server, WSO2 Identity Server Analytics
Proof of Concept (POC):
The POST request dialect variable is vulnerable to stored Cross-Site Scripting (XSS) in the URL, https://localhost:9443/carbon/identity-claim-mgt/add-dialect-finish-ajaxprocessor.jsp
Figure 01: Adding XSS payload to the dialect variable.
Figure 02: Added XSS payload, <script>alert(document.cookie)</script> gets stored.
Figure 03: Edit the service provider information.
Figure 04: Select the XSS payload stored in the claims.
Figure 05: Add Service Provider Claim Dialect URI by selecting the stored URI value from claims.
Figure 06: Injected XSS payload gets executed in the browser after adding claims.
Impact
Through an XSS attack, the attacker can make the browser redirect to a malicious website. Unauthorized actions such as changing the UI of the web page, retrieving information from the browser are possible. But since all session-related sensitive cookies are set with httpOnly flat and protected, session hijacking or mounting a similar attack would not be possible.
Remediations
Download the relevant patch based on the product version.
Code | Product | Version | Patch |
AM | WSO2 API Manager | 2.6.0 | |
IS KM | WSO2 IS as Key Manager | 5.7.0 | |
IS | WSO2 Identity Server | 5.8.0 |
Timeline
