SecurinZero Days
    Email Us
    Zero-Day Research/CVE-2019-20437
    ▲ MediumCVSS 6.1✓ PatchedEPSS 0.00657%

    Stored Cross-Site Scripting in WSO2 Product

    An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. When a custom claim dialect with an XSS payload is configured in the identity provider basic claim configuration, that payload gets executed, if the user accesses the My Account page.

    CVE IDCVE-2019-20437
    CVSS v3.16.1 Medium
    VendorWSO2
    CWECWE-79
    DisclosedJun 29, 2019
    StatusFixed
    All advisories
    • 01Description
    • 02Proof of Concept
    • 03Impact
    • 04Remediation
    • 05Timeline
    • 06References
    01/Description

    What this actually is.

    Technical background, root cause, and affected surface.

    A vulnerability was discovered on WSO2 products in the management console. A stored cross-site script (XSS) vulnerability allows an attacker to execute the malicious code if there is a claim dialect configured with an XSS payload in the dialect URI, if a user picks up the malicious dialect URI, and adds it as the service provider claim dialect while configuring the service provider.

     

    *Affected Products: WSO2 API Manager, WSO2 API Manager Analytics, WSO2 IS as Key Manager, WSO2 Identity Server, WSO2 Identity Server Analytics

    Vendor
    WSO2
    Affected Product
    See Full List Below*
    CVE
    CVE-2019-20437
    Securin ID
    2019-CSW-11-1030
    Status
    Fixed
    Date
    June 29, 2019
    Severity
    Medium
    CVSS Score
    6.1
    Vector
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    CWE
    CWE-79
    02/Proof of Concept

    From one request
    to root shell.

    Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

    6.1CVSS 3.1
    VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    ScopeChanged
    ImpactC:L / I:L / A:N
    SeverityMedium

    The POST request dialect variable is vulnerable to stored Cross-Site Scripting (XSS) in the URL, https://localhost:9443/carbon/identity-claim-mgt/add-dialect-finish-ajaxprocessor.jsp

    PoC · Exploitation Steps▲ trigger
    01Figure 01: Adding XSS payload to the dialect variable.02Figure 02: Added XSS payload, <script>alert(document.cookie)</script> gets stored.03Figure 03: Edit the service provider information.04Figure 04: Select the XSS payload stored in the claims.05Figure 05: Add Service Provider Claim Dialect URI by selecting the stored URI value from claims.06Figure 06: Injected XSS payload gets executed in the browser after adding claims.
    03/Impact

    What an attacker does to you.

    Post-exploitation outcomes mapped to CVSS impact metrics.

    Through an XSS attack, the attacker can make the browser redirect to a malicious website. Unauthorized actions such as changing the UI of the web page, retrieving information from the browser are possible. But since all session-related sensitive cookies are set with httpOnly flat and protected, session hijacking or mounting a similar attack would not be possible.

    04/Remediation

    Fix it. In this order.

    A runbook, not a checklist. Sequence matters — assume compromise before you act.

    Download the relevant patch based on the product version.

    Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-20437, contact disclose@securin.io
    05/Disclosure Timeline

    Vendors moved in days.
    Attackers in hours.

    Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

    Jun 29, 2019

    Discovered in WS02 Identity Server 5.7.0 Version

    Jun 29, 2019

    Report sent to WS02.

    Jun 29, 2019

    WS02 acknowledged the report

    Aug 13, 2019

    Fixing began in all affected versions

    Nov 04, 2019

    Public and customer announcement by the vendor about the vulnerability

    Timeline recorded · Disclosure coordinated by Securin

    06/References

    Cite, verify, go deeper.

    Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

    NVD

    NVD — CVE-2019-20437

    nvd.nist.gov/vuln/detail/CVE-2019-20437 →
    SEC

    Securin VI — Full Technical Analysis

    vi.securin.io →

    Let Securin level up your security posture.

    Get a live exposure assessment, threat-actor briefing tailored to your sector, and IoC mapping for your SIEM.

    Browse all advisories
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum