CVE-2019-20440: Reflected XSS in WSO2 API Manager 2.6.0

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Multiple Reflected Cross-Site Scripting (XSS) vulnerability exists in WSO2 API Manager Product 2.6.0 in the update API documentation feature of the API Publisher. A reflected cross-site script (XSS) vulnerability allows an attacker to inject malicious code into the application. An input variable vulnerable to reflected XSS is ‘docName,’ ‘version’ and ‘apiName’ in the APIs page.

Vendor: WSO2
Affected Product: WSO2 API Manager
CVE: CVE-2019-20440
Securin ID: 2019-CSW-01-1021
Status: Fixed
Date: July 6, 2019
Severity: Medium
CVSS Score: 4.8
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

The following vulnerability was tested on the WSO2 API Manager version 2.6.0 Product.

PoC · Exploitation Steps▲ trigger

01Issue 01: Multiple Reflected Cross-Site Scripting.02Figure 01: Update the existing document information created. (here API Name is ‘reflected XSS’).03Figure 02: Add XSS payload to the variable “docName.”04Figure 03: “HTTP Response for the modified “docName” variable with XSS payload.”05Figure 04: Injected XSS payload, “><script>alert(document.cookie)</script> gets reflected in the browser response.06Issue 02 & 03:07Figure 05: Injected XSS payload in variable docName, version, and apiName gets reflected in the response.08Figure 06: Injected payload gets reflected in the browser THREE times (THREE places).09Figure 07: Page Looks after executing the injected XSS payload.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

Through an XSS attack, the attacker can make the browser redirect to a malicious website. Unauthorized actions such as changing the UI of the web page, retrieving information from the browser are possible. But since all session-related sensitive cookies are set with httpOnly flat and protected, session hijacking or mounting a similar attack would not be possible.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the following patch based on your product version.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-20440, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Jul 05, 2019

Discovered in WSO2 API Manager v2.6.0.

Jul 06, 2019

Reported to the intigriti platform.

Jul 23, 2019

Closed the issue in the intigriti platform as it was “out of scope.”

Jul 26, 2019

Reported the vulnerability to WSO2.

Jul 29, 2019

WS02 acknowledged the report.

Aug 13, 2019

Fixing began in all affected versions.

Oct 10, 2019

Public and customer announcement by the vendor about the vulnerability

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-20440

nvd.nist.gov/vuln/detail/CVE-2019-20440 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: WSO2
Affected Product: WSO2 API Manager
CVE: CVE-2019-20440
Securin ID: 2019-CSW-01-1021
Status: Fixed
Date: July 6, 2019
Severity: Medium
CVSS Score: 4.8
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

The following vulnerability was tested on the WSO2 API Manager version 2.6.0 Product.

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the following patch based on your product version.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-20440, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Jul 05, 2019

Discovered in WSO2 API Manager v2.6.0.

Jul 06, 2019

Reported to the intigriti platform.

Jul 23, 2019

Closed the issue in the intigriti platform as it was “out of scope.”

Jul 26, 2019

Reported the vulnerability to WSO2.

Jul 29, 2019

WS02 acknowledged the report.

Aug 13, 2019

Fixing began in all affected versions.

Oct 10, 2019

Public and customer announcement by the vendor about the vulnerability

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-20440

nvd.nist.gov/vuln/detail/CVE-2019-20440 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Multiple Reflected Cross-site Scripting in WSO2

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in WSO2 API Manager v2.6.0.

Reported to the intigriti platform.

Closed the issue in the intigriti platform as it was “out of scope.”

Reported the vulnerability to WSO2.

WS02 acknowledged the report.

Fixing began in all affected versions.

Public and customer announcement by the vendor about the vulnerability

Cite, verify, go deeper.

NVD — CVE-2019-20440

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Reflected Cross-site Scripting in WSO2

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in WSO2 API Manager v2.6.0.

Reported to the intigriti platform.

Closed the issue in the intigriti platform as it was “out of scope.”

Reported the vulnerability to WSO2.

WS02 acknowledged the report.

Fixing began in all affected versions.

Public and customer announcement by the vendor about the vulnerability

Cite, verify, go deeper.

NVD — CVE-2019-20440

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Reflected Cross-site Scripting in WSO2

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in WSO2 API Manager v2.6.0.

Reported to the intigriti platform.

Closed the issue in the intigriti platform as it was “out of scope.”

Reported the vulnerability to WSO2.

WS02 acknowledged the report.

Fixing began in all affected versions.

Public and customer announcement by the vendor about the vulnerability

Cite, verify, go deeper.

NVD — CVE-2019-20440

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Reflected Cross-site Scripting in WSO2

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in WSO2 API Manager v2.6.0.

Reported to the intigriti platform.

Closed the issue in the intigriti platform as it was “out of scope.”

Reported the vulnerability to WSO2.

WS02 acknowledged the report.

Fixing began in all affected versions.

Public and customer announcement by the vendor about the vulnerability

Cite, verify, go deeper.

NVD — CVE-2019-20440

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.