CVE-2019-20435: Reflected XSS in WSO2 API Manager 2.6.0

Reflected Cross-Site Scripting in WSO2 Product

An issue was discovered in WSO2 API Manager 2.6.0. A reflected XSS attack could be performed in the inline API documentation editor page of the API Publisher by sending an HTTP GET request with a harmful docName request parameter.

CVE IDCVE-2019-20435

CVSS v3.14.8 Medium

VendorWSO2

CWECWE-79

DisclosedJun 21, 2019

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A vulnerability was discovered on WSO2 products inline API documentation editor page of the API Publisher. A reflected cross-site script (XSS) vulnerability allows an attacker to perform in the inline API documentation editor page of the API Publisher by sending an HTTP GET request with a harmful request parameter for ‘docName.’

Vendor: WSO2
Affected Product: WSO2 API Manager
CVE: CVE-2019-20435
Securin ID: 2019-CSW-11-1027
Status: Fixed
Date: June 21, 2019
Severity: Medium
CVSS Score: 4.8
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

The POST request docName variable is vulnerable to reflected Cross-Site Scripting (XSS) in the URL, https://192.168.107.2:9443/publisher/site/blocks/documentation/ajax/docs.jag

PoC · Exploitation Steps▲ trigger

01Figure 01: New document created in the API.02Figure 02: Choose ‘Edit Content’ to edit document information.03Figure 03: Actual GET request URL.04Figure 04: Crafted request with XSS payload, XSS<img src=x onerror=prompt(1)> gets reflected in the same browser as response.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

By tricking a privileged user into clicking a created URL via email, IM, or a neutral web site, the attacker can make the browser get redirected to a malicious website, which makes changes in the UI of the web page and retrieve information from the browser or harm otherwise. But since all session-related sensitive cookies are set with httpOnly flat and protected, session hijacking or mounting a similar attack would not be possible.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the relevant patch based on the product version.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-20435, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Jun 21, 2019

Discovered in WSO2 API Manager Product version 2.6.0

Jun 21, 2019

Report sent to WS02.

Jun 21, 2019

WS02 acknowledged the report

Aug 13, 2019

Vendor informed their customers about the vulnerability

Nov 04, 2019

Public announcement by the vendor about the vulnerability

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-20435

nvd.nist.gov/vuln/detail/CVE-2019-20435 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Reflected Cross-Site Scripting in WSO2 Product

CVE IDCVE-2019-20435

CVSS v3.14.8 Medium

VendorWSO2

CWECWE-79

DisclosedJun 21, 2019

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: WSO2
Affected Product: WSO2 API Manager
CVE: CVE-2019-20435
Securin ID: 2019-CSW-11-1027
Status: Fixed
Date: June 21, 2019
Severity: Medium
CVSS Score: 4.8
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

The POST request docName variable is vulnerable to reflected Cross-Site Scripting (XSS) in the URL, https://192.168.107.2:9443/publisher/site/blocks/documentation/ajax/docs.jag

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the relevant patch based on the product version.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-20435, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Jun 21, 2019

Discovered in WSO2 API Manager Product version 2.6.0

Jun 21, 2019

Report sent to WS02.

Jun 21, 2019

WS02 acknowledged the report

Aug 13, 2019

Vendor informed their customers about the vulnerability

Nov 04, 2019

Public announcement by the vendor about the vulnerability

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-20435

nvd.nist.gov/vuln/detail/CVE-2019-20435 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Reflected Cross-Site Scripting in WSO2 Product

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in WSO2 API Manager Product version 2.6.0

Report sent to WS02.

WS02 acknowledged the report

Vendor informed their customers about the vulnerability

Public announcement by the vendor about the vulnerability

Cite, verify, go deeper.

NVD — CVE-2019-20435

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected Cross-Site Scripting in WSO2 Product

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in WSO2 API Manager Product version 2.6.0

Report sent to WS02.

WS02 acknowledged the report

Vendor informed their customers about the vulnerability

Public announcement by the vendor about the vulnerability

Cite, verify, go deeper.

NVD — CVE-2019-20435

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected Cross-Site Scripting in WSO2 Product

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in WSO2 API Manager Product version 2.6.0

Report sent to WS02.

WS02 acknowledged the report

Vendor informed their customers about the vulnerability

Public announcement by the vendor about the vulnerability

Cite, verify, go deeper.

NVD — CVE-2019-20435

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected Cross-Site Scripting in WSO2 Product

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in WSO2 API Manager Product version 2.6.0

Report sent to WS02.

WS02 acknowledged the report

Vendor informed their customers about the vulnerability

Public announcement by the vendor about the vulnerability

Cite, verify, go deeper.

NVD — CVE-2019-20435

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.