SecurinZero Days
    Email Us
    Zero-Day Research/CVE-2017-14651
    ▲ MediumCVSS 4.8✓ PatchedEPSS 0.03672%

    Multiple Cross-Site Scripting in WSO2 Data Analytics Server

    WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter.

    CVE IDCVE-2017-14651
    CVSS v3.14.8 Medium
    VendorWSO2
    CWECWE-79
    DisclosedJul 21, 2017
    StatusFixed
    All advisories
    • 01Description
    • 02Proof of Concept
    • 03Impact
    • 04Remediation
    • 05Timeline
    • 06References
    01/Description

    What this actually is.

    Technical background, root cause, and affected surface.

    Multiple Reflected Cross-Site Scripting (XSS) vulnerability has been identified on WSO2 Data Analytics Server Products 3.1.0 in the management console. The vulnerability allows an attacker to inject malicious script and can make the browser get redirected to a malicious website, make changes in the UI of the web page, retrieve information from the browser, or harm.

     

    *Affected Products: API Manager 2.1.0 App Manager 1.2.0 Application Server 5.3.0 Business Process Server 3.6.0 Business Rules Server 2.2.0 Complex Event Processor 4.2.0 Dashboard Server 2.0.0 Data Analytics Server 3.1.0 Data Services Server 3.5.1 Enterprise Integrator 6.1.1 Enterprise Mobility Manager 2.2.0 Governance Registry 5.4.0 Identity Server 5.3.0 IoT Server 3.0.0 Machine Learner 1.2.0 Message Broker 3.2.0 Storage Server 1.5.0

    Vendor
    WSO2
    Affected Product
    See Full List Below*
    CVE
    CVE-2017-14651
    Securin ID
    2017-CSW-09-1017
    Status
    Fixed
    Date
    July 21, 2017
    Severity
    Medium
    CVSS Score
    4.8
    Vector
    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    CWE
    CWE-79
    02/Proof of Concept

    From one request
    to root shell.

    Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

    4.8CVSS 3.1
    VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    ScopeChanged
    ImpactC:L / I:L / A:N
    SeverityMedium

    Issue 1: Accessing the POST Request of the URL, https://WSO2IP:9443/carbon/resources/add_collection_ajaxprocessor.jsp with XSS payloads through vulnerable variable collectionName and parentPath will execute XSS in the victim’s browser.

    PoC · Exploitation Steps▲ trigger
    01Figure 01: XSS payloads through vulnerable variable collectionName.02Figure 02: Reflected response for the vulnerable variable collectionName with XSS Payload is executed.03Figure 03: XSS payloads through vulnerable variable parentPath (also collection name must be injected with any invalid symbols).04Figure 04: Reflected response for the vulnerable variable parentPath with XSS Payload is executed.05Issue 2: Accessing the GET Request of the URL, https://WSO2IP:9443/carbon/resources/permissions_ajaxprocessor.jsp?path=%2F_system%2Ftest%2Fhack-xss’)”><script>alert(3)</script>&random=1275 will execute XSS in victim’s browser.06Figure 05: GET request URL with XSS payload through path variable is vulnerable to Cross-Site Scripting.07Figure 06: Accessing the GET request is executing XSS payload through the vulnerable variable.
    03/Impact

    What an attacker does to you.

    Post-exploitation outcomes mapped to CVSS impact metrics.

    An attacker can make the browser get redirected to a malicious website, make changes in the UI of the web page, and retrieve information from the browser.

    04/Remediation

    Fix it. In this order.

    A runbook, not a checklist. Sequence matters — assume compromise before you act.

    Download the relevant patch based on your version.

     https://wso2.com/security-patch-releases-notice

    Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2017-14651, contact disclose@securin.io
    05/Disclosure Timeline

    Vendors moved in days.
    Attackers in hours.

    Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

    Jul 08, 2017

    Discovered in WSO2 Data Analytics Server Product version 3.1.0

    Jul 21, 2017

    Reported to WSO2

    Jul 21, 2017

    WSO2 security team acknowledged the vulnerability

    Jul 12, 2017

    Issue 01 was confirmed, issue 02 reported earlier, and fixed

    Aug 21, 2017

    Public patching was in progress

    Sep 06, 2017

    Updated the patch

    Timeline recorded · Disclosure coordinated by Securin

    06/References

    Cite, verify, go deeper.

    Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

    NVD

    NVD — CVE-2017-14651

    nvd.nist.gov/vuln/detail/CVE-2017-14651 →
    SEC

    Securin VI — Full Technical Analysis

    vi.securin.io →

    Let Securin level up your security posture.

    Get a live exposure assessment, threat-actor briefing tailored to your sector, and IoC mapping for your SIEM.

    Browse all advisories
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum