Securin Zero-Days

CVE-2019-20440 – Multiple Reflected Cross-site Scripting in WSO2

Severity:Low

Vendor

WSO2

Affected Product

WSO2 API Manager

CVE

CVE-2019-20440

Securin ID

2019-CSW-01-1021

Status

Fixed

Date

July 6, 2019

Description

Multiple Reflected Cross-Site Scripting (XSS) vulnerability exists in WSO2 API Manager Product 2.6.0 in the update API documentation feature of the API Publisher. A reflected cross-site script (XSS) vulnerability allows an attacker to inject malicious code into the application. An input variable vulnerable to reflected XSS is ‘docName,’ ‘version’ and ‘apiName’ in the APIs page.

Proof of Concept (POC):

The following vulnerability was tested on the WSO2 API Manager version 2.6.0 Product.

Issue 01: Multiple Reflected Cross-Site Scripting.

Figure 01: Update the existing document information created. (here API Name is ‘reflected XSS’).

Figure 02: Add XSS payload to the variable “docName.”

Figure 03: “HTTP Response for the modified “docName” variable with XSS payload.”

Figure 04: Injected XSS payload, “><script>alert(document.cookie)</script> gets reflected in the browser response.

Issue 02 & 03:

Figure 05: Injected XSS payload in variable docName, version, and apiName gets reflected in the response.

Figure 06: Injected payload gets reflected in the browser THREE times (THREE places).

Figure 07: Page Looks after executing the injected XSS payload.

Impact

Through an XSS attack, the attacker can make the browser redirect to a malicious website. Unauthorized actions such as changing the UI of the web page, retrieving information from the browser are possible. But since all session-related sensitive cookies are set with httpOnly flat and protected, session hijacking or mounting a similar attack would not be possible.

Remediations

Download the following patch based on your product version.

Code	Product	Version	Patch
AM	WSO2 API Manager	2.6.0	WSO2-CARBON-PATCH-4.4.0-5183

Timeline

Jul 05, 2019: Discovered in WSO2 API Manager v2.6.0.

Jul 06, 2019: Reported to the intigriti platform.

Jul 23, 2019: Closed the issue in the intigriti platform as it was “out of scope.”

Jul 26, 2019: Reported the vulnerability to WSO2.

Jul 29, 2019: WS02 acknowledged the report.

Aug 13, 2019: Fixing began in all affected versions.

Oct 10, 2019: Public and customer announcements by the vendor

Attack Surface Management

Vulnerability Intelligence

Vulnerability Management

Penetration Testing

PARTNERS

RESOURCES

WHO WE ARE

CAREERS