CVE-2019-20443: Stored XSS in WSO2 Registry UI

Stored Cross-Site Scripting in WSO2

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in mediaType has been identified in the registry UI.

CVE IDCVE-2019-20443

CVSS v3.14.8 Medium

VendorWSO2

CWECWE-79

DisclosedJan 2, 2020

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

This vulnerability was discovered on the WSO2 Identity Server before 5.7.0. A stored cross-site script (XSS) vulnerability allows an attacker to inject malicious code into the application and stored in the server. An input variable vulnerable to stored XSS is ‘mediaType’ on the browser page.

*Affected Products: WSO2 API Manager, WSO2 API Manager Analytics, WSO2 Enterprise Integrator, WSO2 IS as Key Manager, WSO2 Identity Server, WSO2 Identity Server Analytics

Vendor: WSO2
Affected Product: See Full List Below*
CVE: CVE-2019-20443
Securin ID: 2019-CSW-01-1024
Status: Fixed
Date: January 2, 2020
Severity: Medium
CVSS Score: 4.8
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

The following vulnerability was tested on WSO2 Identity Server version 5.7.0 Product.

PoC · Exploitation Steps▲ trigger

01Issue 01: Stored Cross-Site Scripting.02Figure 01: Edit “Media Type” value in the “Metadata” section.03Figure 02: Save “Media Type” with XSS payload, “><img src=x onerror=prompt(1)>04Figure 03: Injected XSS payload gets stored to the application.05Figure 04: Injected XSS Payload gets stored and executed in the browser.06Figure 05: The stored XSS payload gets executed in four different places throughout the page whenever the user loads the page.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

Through an XSS attack, the attacker can make the browser redirect to a malicious website. Unauthorized actions such as changing the UI of the web page, retrieving information from the browser are possible. But since all session-related sensitive cookies are set with httpOnly flat and protected, session hijacking or mounting a similar attack would not be possible.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the following relevant patch based on your product version.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-20443, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Jul 02, 2019

Discovered CVE-2019-20443 in WS02 Identity Server 5.7.0 Version.

Jul 02, 2019

Report sent to WS02.

Jul 02, 2019

WS02 acknowledged the report.

Aug 13, 2019

Fixing was initiated in all affected versions.

Sep 10, 2019

The vendor informed their customers about the vulnerability.

Oct 10, 2019

Public announcement by the vendor about the vulnerability.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-20443

nvd.nist.gov/vuln/detail/CVE-2019-20443 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Stored Cross-Site Scripting in WSO2

CVE IDCVE-2019-20443

CVSS v3.14.8 Medium

VendorWSO2

CWECWE-79

DisclosedJan 2, 2020

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

*Affected Products: WSO2 API Manager, WSO2 API Manager Analytics, WSO2 Enterprise Integrator, WSO2 IS as Key Manager, WSO2 Identity Server, WSO2 Identity Server Analytics

Vendor: WSO2
Affected Product: See Full List Below*
CVE: CVE-2019-20443
Securin ID: 2019-CSW-01-1024
Status: Fixed
Date: January 2, 2020
Severity: Medium
CVSS Score: 4.8
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

The following vulnerability was tested on WSO2 Identity Server version 5.7.0 Product.

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the following relevant patch based on your product version.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-20443, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Jul 02, 2019

Discovered CVE-2019-20443 in WS02 Identity Server 5.7.0 Version.

Jul 02, 2019

Report sent to WS02.

Jul 02, 2019

WS02 acknowledged the report.

Aug 13, 2019

Fixing was initiated in all affected versions.

Sep 10, 2019

The vendor informed their customers about the vulnerability.

Oct 10, 2019

Public announcement by the vendor about the vulnerability.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-20443

nvd.nist.gov/vuln/detail/CVE-2019-20443 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Stored Cross-Site Scripting in WSO2

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered CVE-2019-20443 in WS02 Identity Server 5.7.0 Version.

Report sent to WS02.

WS02 acknowledged the report.

Fixing was initiated in all affected versions.

The vendor informed their customers about the vulnerability.

Public announcement by the vendor about the vulnerability.

Cite, verify, go deeper.

NVD — CVE-2019-20443

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in WSO2

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered CVE-2019-20443 in WS02 Identity Server 5.7.0 Version.

Report sent to WS02.

WS02 acknowledged the report.

Fixing was initiated in all affected versions.

The vendor informed their customers about the vulnerability.

Public announcement by the vendor about the vulnerability.

Cite, verify, go deeper.

NVD — CVE-2019-20443

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in WSO2

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered CVE-2019-20443 in WS02 Identity Server 5.7.0 Version.

Report sent to WS02.

WS02 acknowledged the report.

Fixing was initiated in all affected versions.

The vendor informed their customers about the vulnerability.

Public announcement by the vendor about the vulnerability.

Cite, verify, go deeper.

NVD — CVE-2019-20443

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in WSO2

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered CVE-2019-20443 in WS02 Identity Server 5.7.0 Version.

Report sent to WS02.

WS02 acknowledged the report.

Fixing was initiated in all affected versions.

The vendor informed their customers about the vulnerability.

Public announcement by the vendor about the vulnerability.

Cite, verify, go deeper.

NVD — CVE-2019-20443

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.