CVE-2020-14445: Reflected XSS in WSO2 Identity Server

Stored Cross-Site Scripting in WSO2 Product

An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console Basic Policy Editor user interface.

CVE IDCVE-2020-14445

CVSS v3.15.4 Medium

VendorWSO2

CWECWE-79

DisclosedFeb 10, 2020

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executed when the user loads a page created in WSO2 Identity Server version 5.9.0 Product.

*Affected Products: WSO2 IS as Key Manager 5.9.0 or earlier, WSO2 Identity Server 5.9.0 or earlier

Vendor: WSO2
Affected Product: See Full List Below*
CVE: CVE-2020-14445
Securin ID: 2020-CSW-05-1043
Status: Fixed
Date: Feb 10, 2020
Severity: Medium
CVSS Score: 5.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

The following vulnerability was tested on WSO2 Identity Server version 5.9.0 Product.

PoC · Exploitation Steps▲ trigger

01Issue 1: Stored cross-site scripting.02Figure 1: Navigating to the Policy Administration and Clicking the Add New Entitlement Policy Link.03Figure 2: Clicking on Basic Policy Editor will redirect to the URL.04Figure 3: Fill the necessary details and Move to the Define Entitlement Rules section.05Figure 4: Intercepting the request, and ‘RuleID’ variable is added with XSS Payload.06Figure 5: Inserted payload gets stored and executed whenever the user visits the page.07Figure 6: Stored XSS payload in the source code.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

By leveraging an XSS attack, an attacker can make the browser get redirected to a malicious website, make changes in the UI of the web page, retrieve information from the browser or harm otherwise. However, since all the session related sensitive cookies are set with httpOnly flag and protected, session hijacking or similar attacks would not be possible.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Apply the relevant fixes based on the changes from the public fix using the following link:

https://github.com/wso2/carbon-identity-framework/pull/2794

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2020-14445, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Jan 31, 2020

Discovered in WSO2 Identity Server Manager version 5.9.0.

Feb 04, 2020

CSW Internal Review.

Feb 10, 2020

Reported to the WSO2 security team.

May 13, 2020

Published to the public.

Disclosed 103 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2020-14445

nvd.nist.gov/vuln/detail/CVE-2020-14445 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Stored Cross-Site Scripting in WSO2 Product

CVE IDCVE-2020-14445

CVSS v3.15.4 Medium

VendorWSO2

CWECWE-79

DisclosedFeb 10, 2020

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

*Affected Products: WSO2 IS as Key Manager 5.9.0 or earlier, WSO2 Identity Server 5.9.0 or earlier

Vendor: WSO2
Affected Product: See Full List Below*
CVE: CVE-2020-14445
Securin ID: 2020-CSW-05-1043
Status: Fixed
Date: Feb 10, 2020
Severity: Medium
CVSS Score: 5.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

The following vulnerability was tested on WSO2 Identity Server version 5.9.0 Product.

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Apply the relevant fixes based on the changes from the public fix using the following link:

https://github.com/wso2/carbon-identity-framework/pull/2794

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2020-14445, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Jan 31, 2020

Discovered in WSO2 Identity Server Manager version 5.9.0.

Feb 04, 2020

CSW Internal Review.

Feb 10, 2020

Reported to the WSO2 security team.

May 13, 2020

Published to the public.

Disclosed 103 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2020-14445

nvd.nist.gov/vuln/detail/CVE-2020-14445 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Stored Cross-Site Scripting in WSO2 Product

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in WSO2 Identity Server Manager version 5.9.0.

CSW Internal Review.

Reported to the WSO2 security team.

Published to the public.

Cite, verify, go deeper.

NVD — CVE-2020-14445

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in WSO2 Product

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in WSO2 Identity Server Manager version 5.9.0.

CSW Internal Review.

Reported to the WSO2 security team.

Published to the public.

Cite, verify, go deeper.

NVD — CVE-2020-14445

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in WSO2 Product

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in WSO2 Identity Server Manager version 5.9.0.

CSW Internal Review.

Reported to the WSO2 security team.

Published to the public.

Cite, verify, go deeper.

NVD — CVE-2020-14445

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in WSO2 Product

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in WSO2 Identity Server Manager version 5.9.0.

CSW Internal Review.

Reported to the WSO2 security team.

Published to the public.

Cite, verify, go deeper.

NVD — CVE-2020-14445

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.