Securin Zero-Days
CVE-2019-20440 - Multiple Reflected Cross-site Scripting in WSO2
Description
Multiple Reflected Cross-Site Scripting (XSS) vulnerability exists in WSO2 API Manager Product 2.6.0 in the update API documentation feature of the API Publisher. A reflected cross-site script (XSS) vulnerability allows an attacker to inject malicious code into the application. An input variable vulnerable to reflected XSS is ‘docName,’ ‘version’ and ‘apiName’ in the APIs page.
Proof of Concept (POC):
The following vulnerability was tested on the WSO2 API Manager version 2.6.0 Product.
Issue 01: Multiple Reflected Cross-Site Scripting.
Figure 01: Update the existing document information created. (here API Name is ‘reflected XSS’).
Figure 02: Add XSS payload to the variable “docName.”
Figure 03: “HTTP Response for the modified “docName” variable with XSS payload.”
Figure 04: Injected XSS payload, “><script>alert(document.cookie)</script> gets reflected in the browser response.
Issue 02 & 03:
Figure 05: Injected XSS payload in variable docName, version, and apiName gets reflected in the response.
Figure 06: Injected payload gets reflected in the browser THREE times (THREE places).
Figure 07: Page Looks after executing the injected XSS payload.
Impact
Through an XSS attack, the attacker can make the browser redirect to a malicious website. Unauthorized actions such as changing the UI of the web page, retrieving information from the browser are possible. But since all session-related sensitive cookies are set with httpOnly flat and protected, session hijacking or mounting a similar attack would not be possible.
Remediations
Download the following patch based on your product version.
Code | Product | Version | Patch |
AM | WSO2 API Manager | 2.6.0 |
Timeline
