Multiple reflected cross-site scripting (XSS) vulnerability was identified on WSO2 Data Analytics Server Product in the Data source creation page of the Management Console. A reflected cross-site script (XSS) vulnerability allows an attacker to inject malicious code in the data source creation page of the Management Console by sending an HTTP GET request with a harmful request parameter.
Securin Zero-Days
CVE-2019-20434 – Multiple Reflected Cross-Site Scripting in WSO2 Product
Discovered byCyber Security Works Pvt. Ltd.
Severity:Medium
Vendor
WSO2
Affected Product
WSO2 API Manager
CVE
CVE-2019-20434
Securin ID
2019-CSW-10-1027
Status
Fixed
Date
May 4, 2019
Description
Proof of Concept (POC):
Issue 1 & 2:
Access the URL, and add XSS payload xss”><script>alert(1)</script> through vulnerable variable path & name to execute XSS in the POST request URL.
.png)
Figure 01: Access the URL and browse the registry->browse and add XSS payloads
.png)
Figure 02: Add a new property.
.png)
Figure 03: XSS payload added to the path variable and gets reflected in the response.
.png)
Figure 04: Injected XSS payload gets reflected in the browser.
.png)
Figure 05: XSS payload added to the name variable and gets reflected in the response.
.png)
Figure 06: Injected XSS payload gets reflected in the browser URL.
Issue 3:Access the GET request URL (added with XSS payload) directly to see XSS getting reflected in the browser.
.png)
Figure 07: Access to add new Data Source.
.png)
Figure 08: Capturing the GET request and added XSS payload gets reflected in the response.
.png)
Figure 9: Injected XSS payload, XSS%22%3e%3cscript%3ealert(1)%3c/script%3e through vulnerable dsProvider gets reflected whenever the user tries to access the URL to add new Data Source.
Impact
An attacker can trick a privileged user into clicking a crafted URL and hijacking a logged-in user’s session by stealing cookies. This means that the attacker can change the logged-in user’s password and invalidate the session of the victim while the hacker maintains access.
Remediations
Download the relevant patch based on the product version.
|
Code |
Product |
Version |
Patch |
|
AM |
WSO2 API Manager |
2.6.0 |
https://product-dist.wso2.com/downloads/carbon/wilkes/patch4935/WSO2-CARBON-PATCH-4.4.0-4935.zip |
Timeline
May 04, 2019: Discovered in WSO2 Data Analytics Server Product version 3.1.0
May 04, 2019: Report sent to WS02
May 07, 2019: WS02 acknowledged the report
May 09, 2019: Issue 3 was confirmed, and Issue 1 & 2 are not valid
Aug 12, 2019: Vendor informed their customers about the vulnerability
Sep 10, 2019: Public announcement by the vendor about the vulnerability