CVE-2019-20434: Reflected XSS in WSO2 API Manager 2.6.0

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Multiple reflected cross-site scripting (XSS) vulnerability was identified on WSO2 Data Analytics Server Product in the Data source creation page of the Management Console. A reflected cross-site script (XSS) vulnerability allows an attacker to inject malicious code in the data source creation page of the Management Console by sending an HTTP GET request with a harmful request parameter.

Vendor: WSO2
Affected Product: WSO2 API Manager
CVE: CVE-2019-20434
Securin ID: 2019-CSW-10-1027
Status: Fixed
Date: May 4, 2019
Severity: Medium
CVSS Score: 4.8
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

01Issue 1 & 2:02Access the URL, and add XSS payload xss”><script>alert(1)</script> through vulnerable variable path & name to execute XSS in the POST request URL.03Figure 01: Access the URL and browse the registry->browse and add XSS payloads04Figure 02: Add a new property.05Figure 03: XSS payload added to the path variable and gets reflected in the response.06Figure 04: Injected XSS payload gets reflected in the browser.07Figure 05: XSS payload added to the name variable and gets reflected in the response.08Figure 06: Injected XSS payload gets reflected in the browser URL.09Issue 3:Access the GET request URL (added with XSS payload) directly to see XSS getting reflected in the browser.10Figure 07: Access to add new Data Source.11Figure 08: Capturing the GET request and added XSS payload gets reflected in the response.12Figure 9: Injected XSS payload, XSS%22%3e%3cscript%3ealert(1)%3c/script%3e through vulnerable dsProvider gets reflected whenever the user tries to access the URL to add new Data Source.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker can trick a privileged user into clicking a crafted URL and hijacking a logged-in user’s session by stealing cookies. This means that the attacker can change the logged-in user’s password and invalidate the session of the victim while the hacker maintains access.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the relevant patch based on the product version.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-20434, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

May 04, 2019

Discovered in WSO2 Data Analytics Server Product version 3.1.0

May 04, 2019

Report sent to WS02

May 07, 2019

WS02 acknowledged the report

May 09, 2019

Issue 3 was confirmed, and Issue 1 & 2 are not valid

Aug 12, 2019

Vendor informed their customers about the vulnerability

Sep 10, 2019

Public announcement by the vendor about the vulnerability

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-20434

nvd.nist.gov/vuln/detail/CVE-2019-20434 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: WSO2
Affected Product: WSO2 API Manager
CVE: CVE-2019-20434
Securin ID: 2019-CSW-10-1027
Status: Fixed
Date: May 4, 2019
Severity: Medium
CVSS Score: 4.8
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the relevant patch based on the product version.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-20434, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

May 04, 2019

Discovered in WSO2 Data Analytics Server Product version 3.1.0

May 04, 2019

Report sent to WS02

May 07, 2019

WS02 acknowledged the report

May 09, 2019

Issue 3 was confirmed, and Issue 1 & 2 are not valid

Aug 12, 2019

Vendor informed their customers about the vulnerability

Sep 10, 2019

Public announcement by the vendor about the vulnerability

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-20434

nvd.nist.gov/vuln/detail/CVE-2019-20434 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Multiple Reflected Cross-Site Scripting in WSO2 Product

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in WSO2 Data Analytics Server Product version 3.1.0

Report sent to WS02

WS02 acknowledged the report

Issue 3 was confirmed, and Issue 1 & 2 are not valid

Vendor informed their customers about the vulnerability

Public announcement by the vendor about the vulnerability

Cite, verify, go deeper.

NVD — CVE-2019-20434

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Reflected Cross-Site Scripting in WSO2 Product

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in WSO2 Data Analytics Server Product version 3.1.0

Report sent to WS02

WS02 acknowledged the report

Issue 3 was confirmed, and Issue 1 & 2 are not valid

Vendor informed their customers about the vulnerability

Public announcement by the vendor about the vulnerability

Cite, verify, go deeper.

NVD — CVE-2019-20434

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Reflected Cross-Site Scripting in WSO2 Product

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in WSO2 Data Analytics Server Product version 3.1.0

Report sent to WS02

WS02 acknowledged the report

Issue 3 was confirmed, and Issue 1 & 2 are not valid

Vendor informed their customers about the vulnerability

Public announcement by the vendor about the vulnerability

Cite, verify, go deeper.

NVD — CVE-2019-20434

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Reflected Cross-Site Scripting in WSO2 Product

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in WSO2 Data Analytics Server Product version 3.1.0

Report sent to WS02

WS02 acknowledged the report

Issue 3 was confirmed, and Issue 1 & 2 are not valid

Vendor informed their customers about the vulnerability

Public announcement by the vendor about the vulnerability

Cite, verify, go deeper.

NVD — CVE-2019-20434

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.