Securin Zero-Days

CVE-2019-20436 – Stored Cross-Site Scripting in WSO2 Product

Severity:Medium

Vendor

WSO2

Affected Product

See Full List Below*

CVE

CVE-2019-20436

Securin ID

2019-CSW-11-1029

Status

Fixed

Date

June 25, 2019

Description

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect’s URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console and to add and configure claim dialects.

*Affected Products: WSO2 API Manager, WSO2 API Manager Analytics, WSO2 IS as Key Manager, WSO2 Identity Server, WSO2 Identity Server Analytics

Proof of Concept (POC):

The POST request dialect variable is vulnerable to stored Cross-Site Scripting (XSS) in the URL, https://localhost:9443/carbon/identity-claim-mgt/add-dialect-finish-ajaxprocessor.jsp

Figure 01: Adding XSS payload to the dialect variable.

Figure 02: Added XSS payload, <script>alert(document.cookie)</script> gets stored.

Figure 03: Edit the service provider information.

Figure 04: Select the XSS payload stored in the claims.

Figure 05: Add Service Provider Claim Dialect URI by selecting the stored URI value from claims.

Figure 06: Injected XSS payload gets executed in the browser after adding claims.

Impact

Through an XSS attack, the attacker can make the browser redirect to a malicious website. Unauthorized actions such as changing the UI of the web page, retrieving information from the browser are possible. But since all session-related sensitive cookies are set with httpOnly flat and protected, session hijacking or mounting a similar attack would not be possible.

Remediations

Download the relevant patch based on the product version.

Code	Product	Version	Patch
AM	WSO2 API Manager	2.6.0	WSO2-CARBON-PATCH-4.4.0-5118
IS KM	WSO2 IS as Key Manager	5.7.0	WSO2-CARBON-PATCH-4.4.0-5118
IS	WSO2 Identity Server	5.8.0	WSO2-CARBON-PATCH-4.4.0-5116

Timeline

Jun 25, 2019: Discovered in WS02 Identity Server 5.7.0 Version

Jun 25, 2019: Report sent to WS02

Jun 25, 2019: WS02 acknowledged the report

Aug 13, 2019: Fixing began in all affected versions

Sep 10, 2019: The vendor informed their customers about the vulnerability.

Nov 04, 2019: Public announcement by the vendor about the vulnerability.

Attack Surface Management

Vulnerability Intelligence

Vulnerability Management

Penetration Testing

PARTNERS

RESOURCES

WHO WE ARE

CAREERS