Securin Zero-Days

CVE-2019-20434 – Multiple Reflected Cross-Site Scripting in WSO2 Product

Discovered byCyber Security Works Pvt. Ltd.

Severity:Medium

Vendor

WSO2

Affected Product

WSO2 API Manager

CVE

CVE-2019-20434

Securin ID

2019-CSW-10-1027

Status

Fixed

Date

May 4, 2019

Description

Multiple reflected cross-site scripting (XSS) vulnerability was identified on WSO2 Data Analytics Server Product in the Data source creation page of the Management Console. A reflected cross-site script (XSS) vulnerability allows an attacker to inject malicious code in the data source creation page of the Management Console by sending an HTTP GET request with a harmful request parameter.

Proof of Concept (POC):

Issue 1 & 2:

Access the URL, and add XSS payload xss”><script>alert(1)</script> through vulnerable variable path & name to execute XSS in the POST request URL.

Figure 01: Access the URL and browse the registry->browse and add XSS payloads

Figure 02: Add a new property.

Figure 03: XSS payload added to the path variable and gets reflected in the response.

Figure 04: Injected XSS payload gets reflected in the browser.

Figure 05: XSS payload added to the name variable and gets reflected in the response.

Figure 06: Injected XSS payload gets reflected in the browser URL.

Issue 3:Access the GET request URL (added with XSS payload) directly to see XSS getting reflected in the browser.

Figure 07: Access to add new Data Source.

Figure 08: Capturing the GET request and added XSS payload gets reflected in the response.

Figure 9: Injected XSS payload, XSS%22%3e%3cscript%3ealert(1)%3c/script%3e through vulnerable dsProvider gets reflected whenever the user tries to access the URL to add new Data Source.

Impact

An attacker can trick a privileged user into clicking a crafted URL and hijacking a logged-in user’s session by stealing cookies. This means that the attacker can change the logged-in user’s password and invalidate the session of the victim while the hacker maintains access.

Remediations

Download the relevant patch based on the product version.

Code	Product	Version	Patch
AM	WSO2 API Manager	2.6.0	https://product-dist.wso2.com/downloads/carbon/wilkes/patch4935/WSO2-CARBON-PATCH-4.4.0-4935.zip

Timeline

May 04, 2019: Discovered in WSO2 Data Analytics Server Product version 3.1.0

May 04, 2019: Report sent to WS02

May 07, 2019: WS02 acknowledged the report

May 09, 2019: Issue 3 was confirmed, and Issue 1 & 2 are not valid

Aug 12, 2019: Vendor informed their customers about the vulnerability

Sep 10, 2019: Public announcement by the vendor about the vulnerability

Attack Surface Management

Vulnerability Intelligence

Vulnerability Management

Penetration Testing

PARTNERS

RESOURCES

WHO WE ARE

CAREERS