Securin Zero-Days

CVE-2019-20443 – Stored Cross-Site Scripting in WSO2

Severity:Low

Vendor

WSO2

Affected Product

See Full List Below*

CVE

CVE-2019-20443

Securin ID

2019-CSW-01-1024

Status

Fixed

Date

January 2, 2020

Description

This vulnerability was discovered on the WSO2 Identity Server before 5.7.0. A stored cross-site script (XSS) vulnerability allows an attacker to inject malicious code into the application and stored in the server. An input variable vulnerable to stored XSS is ‘mediaType’ on the browser page.

 

*Affected Products: WSO2 API Manager, WSO2 API Manager Analytics, WSO2 Enterprise Integrator, WSO2 IS as Key Manager, WSO2 Identity Server, WSO2 Identity Server Analytics

Proof of Concept (POC):

The following vulnerability was tested on WSO2 Identity Server version 5.7.0 Product.

Issue 01: Stored Cross-Site Scripting.

Figure 01: Edit “Media Type” value in the “Metadata” section.

Figure 02: Save “Media Type” with XSS payload, “><img src=x onerror=prompt(1)>

Figure 03: Injected XSS payload gets stored to the application.

Figure 04: Injected XSS Payload gets stored and executed in the browser.

Figure 05: The stored XSS payload gets executed in four different places throughout the page whenever the user loads the page.

Impact

Through an XSS attack, the attacker can make the browser redirect to a malicious website. Unauthorized actions such as changing the UI of the web page, retrieving information from the browser are possible. But since all session-related sensitive cookies are set with httpOnly flat and protected, session hijacking or mounting a similar attack would not be possible.

Remediations

Download the following relevant patch based on your product version.

Code Product  Version  Patch
APIM  WSO2 API Manager 2.6.0 WSO2-CARBON-PATCH-4.4.0-5432
EI  WSO2 Enterprise Integrator 6.5.0 WSO2-CARBON-PATCH-4.4.0-5518
IS KM   WSO2 IS as Key Manager 5.7.0 WSO2-CARBON-PATCH-4.4.0-5432
IS WSO2 Identity Server 5.8.0 WSO2-CARBON-PATCH-4.4.0-5431

Timeline

Jul 02, 2019: Discovered CVE-2019-20443 in WS02 Identity Server 5.7.0 Version.

Jul 02, 2019: Report sent to WS02.

Jul 02, 2019: WS02 acknowledged the report.

Aug 13, 2019: Fixing was initiated in all affected versions.

Sep 10, 2019: The vendor informed their customers about the vulnerability.

Oct 10, 2019: Public announcement by the vendor about the vulnerability.

Let Securin level up your security posture!