CVE-2019-20436: Stored XSS in WSO2 Claim Dialect URI

01/Description

What this actually is.

Technical background, root cause, and affected surface.

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect’s URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console and to add and configure claim dialects.

*Affected Products: WSO2 API Manager, WSO2 API Manager Analytics, WSO2 IS as Key Manager, WSO2 Identity Server, WSO2 Identity Server Analytics

Vendor: WSO2
Affected Product: See Full List Below*
CVE: CVE-2019-20436
Securin ID: 2019-CSW-11-1029
Status: Fixed
Date: June 25, 2019
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

The POST request dialect variable is vulnerable to stored Cross-Site Scripting (XSS) in the URL, https://localhost:9443/carbon/identity-claim-mgt/add-dialect-finish-ajaxprocessor.jsp

PoC · Exploitation Steps▲ trigger

01Figure 01: Adding XSS payload to the dialect variable.02Figure 02: Added XSS payload, <script>alert(document.cookie)</script> gets stored.03Figure 03: Edit the service provider information.04Figure 04: Select the XSS payload stored in the claims.05Figure 05: Add Service Provider Claim Dialect URI by selecting the stored URI value from claims.06Figure 06: Injected XSS payload gets executed in the browser after adding claims.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

Through an XSS attack, the attacker can make the browser redirect to a malicious website. Unauthorized actions such as changing the UI of the web page, retrieving information from the browser are possible. But since all session-related sensitive cookies are set with httpOnly flat and protected, session hijacking or mounting a similar attack would not be possible.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the relevant patch based on the product version.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-20436, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Jun 25, 2019

Discovered in WS02 Identity Server 5.7.0 Version

Jun 25, 2019

Report sent to WS02.

Jun 25, 2019

WS02 acknowledged the report

Aug 13, 2019

Fixing began in all affected versions

Sep 10, 2019

The vendor informed their customers about the vulnerability.

Nov 04, 2019

Public announcement by the vendor about the vulnerability.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-20436

nvd.nist.gov/vuln/detail/CVE-2019-20436 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

01/Description

What this actually is.

Technical background, root cause, and affected surface.

*Affected Products: WSO2 API Manager, WSO2 API Manager Analytics, WSO2 IS as Key Manager, WSO2 Identity Server, WSO2 Identity Server Analytics

Vendor: WSO2
Affected Product: See Full List Below*
CVE: CVE-2019-20436
Securin ID: 2019-CSW-11-1029
Status: Fixed
Date: June 25, 2019
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

The POST request dialect variable is vulnerable to stored Cross-Site Scripting (XSS) in the URL, https://localhost:9443/carbon/identity-claim-mgt/add-dialect-finish-ajaxprocessor.jsp

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the relevant patch based on the product version.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-20436, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Jun 25, 2019

Discovered in WS02 Identity Server 5.7.0 Version

Jun 25, 2019

Report sent to WS02.

Jun 25, 2019

WS02 acknowledged the report

Aug 13, 2019

Fixing began in all affected versions

Sep 10, 2019

The vendor informed their customers about the vulnerability.

Nov 04, 2019

Public announcement by the vendor about the vulnerability.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-20436

nvd.nist.gov/vuln/detail/CVE-2019-20436 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Stored Cross-Site Scripting in WSO2 Product

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in WS02 Identity Server 5.7.0 Version

Report sent to WS02.

WS02 acknowledged the report

Fixing began in all affected versions

The vendor informed their customers about the vulnerability.

Public announcement by the vendor about the vulnerability.

Cite, verify, go deeper.

NVD — CVE-2019-20436

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in WSO2 Product

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in WS02 Identity Server 5.7.0 Version

Report sent to WS02.

WS02 acknowledged the report

Fixing began in all affected versions

The vendor informed their customers about the vulnerability.

Public announcement by the vendor about the vulnerability.

Cite, verify, go deeper.

NVD — CVE-2019-20436

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in WSO2 Product

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in WS02 Identity Server 5.7.0 Version

Report sent to WS02.

WS02 acknowledged the report

Fixing began in all affected versions

The vendor informed their customers about the vulnerability.

Public announcement by the vendor about the vulnerability.

Cite, verify, go deeper.

NVD — CVE-2019-20436

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in WSO2 Product

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in WS02 Identity Server 5.7.0 Version

Report sent to WS02.

WS02 acknowledged the report

Fixing began in all affected versions

The vendor informed their customers about the vulnerability.

Public announcement by the vendor about the vulnerability.

Cite, verify, go deeper.

NVD — CVE-2019-20436

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.