CVE-2019-20442: Stored XSS in WSO2 Registry UI

Stored Cross-Site Scripting in WSO2

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in roleToAuthorize has been identified in the registry UI.

CVE IDCVE-2019-20442

CVSS v3.14.8 Medium

VendorWSO2

CWECWE-79

DisclosedJul 2, 2019

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

An issue was discovered on WSO2 API Manager before 5.7.0 in the registry UI. A stored cross-site script (XSS) vulnerability allows an attacker to inject malicious code into the application and stored in the server. An input variable was vulnerable to stored XSS is ‘roleToAuthorize’ on the browser page.

*Affected Products: WSO2 API Manager, WSO2 API Manager Analytics, WSO2 IS as Key Manager, WSO2 IS as Key Manager, WSO2 Identity Server, WSO2 Identity Server Analytics

Vendor: WSO2
Affected Product: See Full List Below*
CVE: CVE-2019-20442
Securin ID: 2019-CSW-01-1023
Status: Fixed
Date: July 2, 2019
Severity: Medium
CVSS Score: 4.8
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

The following vulnerability was tested on WSO2 Identity Server version 5.7.0 Product.

PoC · Exploitation Steps▲ trigger

01Issue 01: Stored Cross-Site Scripting02Figure 01: Choose “Browse” from the Registry option.03Figure 02: Select any on ‘Role’ and add “Permission” from the permission section on the same page.04Figure 03: Capture the POST request in burp suite proxy and add XSS payload, “><img src=x onerror=prompt(1)> to “roleToAuthorize” variable.05Figure 04: Injected XSS Payload gets stored and executed in the browser.06Figure 05: The stored XSS payload gets executed whenever the user loads the page

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

Through an XSS attack, the attacker can make the browser redirect to a malicious website. Unauthorized actions such as changing the UI of the web page, retrieving information from the browser are possible. But since all session-related sensitive cookies are set with httponly flat and protected, session hijacking or mounting a similar attack would not be possible.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the following patch based on your product version.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-20442, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Jul 02, 2019

Discovered in WS02 Identity Server 5.7.0 Version.

Jul 02, 2019

Report sent to WS02.

Jul 02, 2019

WS02 acknowledged the report

Aug 13, 2019

Fixing was initiated in all affected versions.

Sep 10, 2019

The vendor informed their customers about the vulnerability.

Oct 10, 2019

Public announcement by the vendor about the vulnerability.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-20442

nvd.nist.gov/vuln/detail/CVE-2019-20442 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Stored Cross-Site Scripting in WSO2

CVE IDCVE-2019-20442

CVSS v3.14.8 Medium

VendorWSO2

CWECWE-79

DisclosedJul 2, 2019

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

*Affected Products: WSO2 API Manager, WSO2 API Manager Analytics, WSO2 IS as Key Manager, WSO2 IS as Key Manager, WSO2 Identity Server, WSO2 Identity Server Analytics

Vendor: WSO2
Affected Product: See Full List Below*
CVE: CVE-2019-20442
Securin ID: 2019-CSW-01-1023
Status: Fixed
Date: July 2, 2019
Severity: Medium
CVSS Score: 4.8
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

The following vulnerability was tested on WSO2 Identity Server version 5.7.0 Product.

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the following patch based on your product version.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-20442, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Jul 02, 2019

Discovered in WS02 Identity Server 5.7.0 Version.

Jul 02, 2019

Report sent to WS02.

Jul 02, 2019

WS02 acknowledged the report

Aug 13, 2019

Fixing was initiated in all affected versions.

Sep 10, 2019

The vendor informed their customers about the vulnerability.

Oct 10, 2019

Public announcement by the vendor about the vulnerability.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-20442

nvd.nist.gov/vuln/detail/CVE-2019-20442 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Stored Cross-Site Scripting in WSO2

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in WS02 Identity Server 5.7.0 Version.

Report sent to WS02.

WS02 acknowledged the report

Fixing was initiated in all affected versions.

The vendor informed their customers about the vulnerability.

Public announcement by the vendor about the vulnerability.

Cite, verify, go deeper.

NVD — CVE-2019-20442

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in WSO2

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in WS02 Identity Server 5.7.0 Version.

Report sent to WS02.

WS02 acknowledged the report

Fixing was initiated in all affected versions.

The vendor informed their customers about the vulnerability.

Public announcement by the vendor about the vulnerability.

Cite, verify, go deeper.

NVD — CVE-2019-20442

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in WSO2

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in WS02 Identity Server 5.7.0 Version.

Report sent to WS02.

WS02 acknowledged the report

Fixing was initiated in all affected versions.

The vendor informed their customers about the vulnerability.

Public announcement by the vendor about the vulnerability.

Cite, verify, go deeper.

NVD — CVE-2019-20442

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in WSO2

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in WS02 Identity Server 5.7.0 Version.

Report sent to WS02.

WS02 acknowledged the report

Fixing was initiated in all affected versions.

The vendor informed their customers about the vulnerability.

Public announcement by the vendor about the vulnerability.

Cite, verify, go deeper.

NVD — CVE-2019-20442

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.