Download Ransomware Index Update Q1 2022
Back to all zero days

Reflected Cross-Site Scripting (XSS) in WSO2 Product 

Affected Vendor

WSO2

Status

Fixed

Date

Feb 10, 2020

High Severity

Description

A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executed when the user loads a page created in WSO2 Identity Server version 5.9.0 Product.

Proof of concept: (POC)

The following vulnerability was tested on WSO2 Identity Server version 5.9.0 Product.

Issue 01: Persistent Cross-Site scripting.

Figure 01: Navigating to the Policy Administration and Clicking the Add New Entitlement Policy Link.

Figure 02: Clicking the Write Policy in XML will open the (URL) Editor.

Figure 03: Injected Payload gets reflected in the Response body of the Policy editor page.

Figure 04: Payload gets Executed on the page.

Impact

By leveraging an XSS attack, an attacker can make the browser get redirected to a malicious website, make changes in the UI of the web page, retrieve information from the browser or harm otherwise. However, since all the session related sensitive cookies are set with httpOnly flag and protected, session hijacking or similar attacks would not be possible.

Remediations

Download and apply the relevant fixes based on the changes from the public fix:

https://github.com/wso2/carbon-identity-framework/pull/2738

Timeline

Jan 31, 2020 – Discovered in WSO2 Identity Server Manager version 5.9.0.

Feb 04, 2020 - CSW conducted an Internal Review

Feb 10, 2020 - Reported to the WSO2 security team

 

Discovered by

Cyber Security Works Pvt. Ltd.


  • Affected VendorWSO2
  • Bug NameReflected Cross-Site Scripting (XSS)
  • CVE NumberCVE-2020-14444
  • CWE IDCWE - 79
  • CSW ID2020-CSW-05-1042
  • CVSSv3 Score5.4
  • Affected Version5.9.0
  • SeverityHigh
  • Affected ProductWSO2 IS as Key Manager 5.9.0 or earlier, WSO2 Identity Server 5.9.0 or earlier
fb icon twitter icon insta icon

Talk to CSW's team of experts to secure your landscape.