imge
Get Started!

Securin Zero-Days

CVE-2019-20435 – Reflected Cross-Site Scripting in WSO2 Product

Severity:Medium

Vendor

WSO2

Affected Product

WSO2 API Manager

CVE

CVE-2019-20435

Securin ID

2019-CSW-11-1027

Status

Fixed

Date

June 21, 2019

Description

A vulnerability was discovered on WSO2 products inline API documentation editor page of the API Publisher.  A reflected cross-site script (XSS) vulnerability allows an attacker to perform in the inline API documentation editor page of the API Publisher by sending an HTTP GET request with a harmful request parameter for ‘docName.’

Proof of Concept (POC):

The POST request docName variable is vulnerable to reflected Cross-Site Scripting (XSS) in the URL, https://192.168.107.2:9443/publisher/site/blocks/documentation/ajax/docs.jag

Figure 01: New document created in the API.

Figure 02: Choose ‘Edit Content’ to edit document information.

Figure 03: Actual GET request URL.

Figure 04: Crafted request with XSS payload, XSS<img src=x onerror=prompt(1)> gets reflected in the same browser as response.

Impact

By tricking a privileged user into clicking a created URL via email, IM, or a neutral web site, the attacker can make the browser get redirected to a malicious website, which makes changes in the UI of the web page and retrieve information from the browser or harm otherwise. But since all session-related sensitive cookies are set with httpOnly flat and protected, session hijacking or mounting a similar attack would not be possible.

Remediations

Download the relevant patch based on the product version.

Code

Product

Version

Patch

AM

 WSO2 API Manager

2.6.0

WSO2-CARBON-PATCH-4.4.0-4941

Timeline

Jun 21, 2019: Discovered in WSO2 API Manager Product version 2.6.0

Jun 21, 2019: Report sent to WS02

Jun 21, 2019: WS02 acknowledged the report

Aug 13, 2019: Vendor informed their customers about the vulnerability

Nov 04, 2019: Public announcement by the vendor about the vulnerability

Let Securin level up your security posture!

START NOW