Securin Zero-Days

CVE-2019-20437 – Stored Cross-Site Scripting in WSO2 Product

Severity:Medium

Vendor

WSO2

Affected Product

See Full List Below*

CVE

CVE-2019-20437

Securin ID

2019-CSW-11-1030

Status

Fixed

Date

June 29, 2019

Description

A vulnerability was discovered on WSO2 products in the management console. A stored cross-site script (XSS) vulnerability allows an attacker to execute the malicious code if there is a claim dialect configured with an XSS payload in the dialect URI, if a user picks up the malicious dialect URI, and adds it as the service provider claim dialect while configuring the service provider.

*Affected Products: WSO2 API Manager, WSO2 API Manager Analytics, WSO2 IS as Key Manager, WSO2 Identity Server, WSO2 Identity Server Analytics

Proof of Concept (POC):

The POST request dialect variable is vulnerable to stored Cross-Site Scripting (XSS) in the URL, https://localhost:9443/carbon/identity-claim-mgt/add-dialect-finish-ajaxprocessor.jsp

Figure 01: Adding XSS payload to the dialect variable.

Figure 02: Added XSS payload, <script>alert(document.cookie)</script> gets stored.

Figure 03: Edit the service provider information.

Figure 04: Select the XSS payload stored in the claims.

Figure 05: Add Service Provider Claim Dialect URI by selecting the stored URI value from claims.

Figure 06: Injected XSS payload gets executed in the browser after adding claims.

Impact

Through an XSS attack, the attacker can make the browser redirect to a malicious website. Unauthorized actions such as changing the UI of the web page, retrieving information from the browser are possible. But since all session-related sensitive cookies are set with httpOnly flat and protected, session hijacking or mounting a similar attack would not be possible.

Remediations

Download the relevant patch based on the product version.

Code	Product	Version	Patch
AM	WSO2 API Manager	2.6.0	WSO2-CARBON-PATCH-4.4.0-5118
IS KM	WSO2 IS as Key Manager	5.7.0	WSO2-CARBON-PATCH-4.4.0-5118
IS	WSO2 Identity Server	5.8.0	WSO2-CARBON-PATCH-4.4.0-5116

Timeline

Jun 29, 2019: Discovered in WS02 Identity Server 5.7.0 Version

Jun 29, 2019: Report sent to WS02

Jun 29, 2019: WS02 acknowledged the report

Aug 13, 2019: Fixing began in all affected versions

Nov 04, 2019: Public and customer announcement by the vendor about the vulnerability

Attack Surface Management

Vulnerability Intelligence

Vulnerability Management

Penetration Testing

PARTNERS

RESOURCES

WHO WE ARE

CAREERS