Vulnerabilites related to wso2 - iot_server
cve-2020-24706
Vulnerability from cvelistv5
Published
2020-08-27 00:00
Modified
2024-08-04 15:19
Severity ?
EPSS score ?
Summary
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:09.362Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0718"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-09T05:58:33.145173",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0718"
},
{
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24706",
"datePublished": "2020-08-27T00:00:00",
"dateReserved": "2020-08-27T00:00:00",
"dateUpdated": "2024-08-04T15:19:09.362Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-14651
Vulnerability from cvelistv5
Published
2017-09-21 18:00
Modified
2024-08-05 19:34
Severity ?
EPSS score ?
Summary
WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cybersecurityworks/Disclosed/issues/15 | x_refsource_MISC | |
| https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265 | x_refsource_MISC | |
| https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:34:39.735Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/15"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-09-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-29T20:58:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/15"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-14651",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cybersecurityworks/Disclosed/issues/15",
"refsource": "MISC",
"url": "https://github.com/cybersecurityworks/Disclosed/issues/15"
},
{
"name": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265",
"refsource": "MISC",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-14651",
"datePublished": "2017-09-21T18:00:00",
"dateReserved": "2017-09-21T00:00:00",
"dateUpdated": "2024-08-05T19:34:39.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-24704
Vulnerability from cvelistv5
Published
2020-08-27 00:00
Modified
2024-08-04 15:19
Severity ?
EPSS score ?
Summary
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:09.324Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0685/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T02:18:33.400934",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0685/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24704",
"datePublished": "2020-08-27T00:00:00",
"dateReserved": "2020-08-27T00:00:00",
"dateUpdated": "2024-08-04T15:19:09.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36760
Vulnerability from cvelistv5
Published
2021-12-07 20:48
Modified
2024-08-04 01:01
Severity ?
EPSS score ?
Summary
In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.)
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.wso2.com/display/Security/2021+Advisories | x_refsource_MISC | |
| https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1314 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.826Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/2021+Advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1314"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-07T20:48:56",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.wso2.com/display/Security/2021+Advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1314"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-36760",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.wso2.com/display/Security/2021+Advisories",
"refsource": "MISC",
"url": "https://docs.wso2.com/display/Security/2021+Advisories"
},
{
"name": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1314",
"refsource": "MISC",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1314"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-36760",
"datePublished": "2021-12-07T20:48:56",
"dateReserved": "2021-07-16T00:00:00",
"dateUpdated": "2024-08-04T01:01:59.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6835
Vulnerability from cvelistv5
Published
2023-12-15 09:16
Modified
2024-08-02 08:42
Severity ?
EPSS score ?
Summary
Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | WSO2 | WSO2 API Manager |
Version: 2.2.0.0 < 2.2.0.16 Version: 2.5.0.0 < 2.5.0.17 Version: 2.6.0.0 < 2.6.0.24 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:42:07.483Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1357/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"repo": "https://github.com/wso2/product-apim",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.2.0.16",
"status": "affected",
"version": "2.2.0.0",
"versionType": "custom"
},
{
"lessThan": "2.5.0.17",
"status": "affected",
"version": "2.5.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.0.24",
"status": "affected",
"version": "2.6.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 IoT Server",
"repo": "https://github.com/wso2/product-iots",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.3.1.17",
"status": "affected",
"version": "3.3.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple WSO2 products have been identified as vulnerable d\u003cspan style=\"background-color: var(--wht);\"\u003eue to lack of server-side input validation in the \u003c/span\u003e\u003cstrong\u003eForum\u003c/strong\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;feature, API rating could be manipulated.\u003c/span\u003e"
}
],
"value": "Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum\u00a0feature, API rating could be manipulated."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-15T09:16:27.473Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1357/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.\u003cbr\u003e\u003cbr\u003eCommunity users may apply the relevant fixes to the product based on the public fix(s) advertised in\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1357/\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1...\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.\n\nCommunity users may apply the relevant fixes to the product based on the public fix(s) advertised in\u00a0 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1357/ \n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2023-6835",
"datePublished": "2023-12-15T09:16:27.473Z",
"dateReserved": "2023-12-15T09:13:13.207Z",
"dateUpdated": "2024-08-02T08:42:07.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-24705
Vulnerability from cvelistv5
Published
2020-08-27 00:00
Modified
2024-08-04 15:19
Severity ?
EPSS score ?
Summary
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:09.326Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:R",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T02:27:03.346897",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24705",
"datePublished": "2020-08-27T00:00:00",
"dateReserved": "2020-08-27T00:00:00",
"dateUpdated": "2024-08-04T15:19:09.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-24703
Vulnerability from cvelistv5
Published
2020-08-27 00:00
Modified
2024-08-04 15:19
Severity ?
EPSS score ?
Summary
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:09.336Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0687/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:R",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T02:15:47.717517",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0687/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24703",
"datePublished": "2020-08-27T00:00:00",
"dateReserved": "2020-08-27T00:00:00",
"dateUpdated": "2024-08-04T15:19:09.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2017-09-21 18:29
Modified
2024-11-21 03:13
Severity ?
Summary
WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265 | Patch, Vendor Advisory | |
| cve@mitre.org | https://github.com/cybersecurityworks/Disclosed/issues/15 | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/cybersecurityworks/Disclosed/issues/15 | Exploit, Technical Description, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 2.1.0 | |
| wso2 | app_manager | 1.2.0 | |
| wso2 | application_server | 5.3.0 | |
| wso2 | business_process_server | 3.6.0 | |
| wso2 | business_rules_server | 2.2.0 | |
| wso2 | complex_event_processor | 4.2.0 | |
| wso2 | dashboard_server | 2.0.0 | |
| wso2 | data_analytics_server | 3.1.0 | |
| wso2 | data_services_server | 3.5.1 | |
| wso2 | enterprise_integrator | 6.1.1 | |
| wso2 | enterprise_mobility_manager | 2.2.0 | |
| wso2 | governance_registry | 5.4.0 | |
| wso2 | identity_server | 5.3.0 | |
| wso2 | iot_server | 3.0.0 | |
| wso2 | machine_learner | 1.2.0 | |
| wso2 | message_broker | 3.2.0 | |
| wso2 | storage_server | 1.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "245D4EB1-F69D-4FAF-94DB-F4B3D3C20539",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:app_manager:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DD697F16-E1A2-4320-A76E-794B05D3620B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:application_server:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8891BAB1-C357-4BC7-8B7A-541B9698F0A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:business_process_server:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E1F3AA02-B597-4C9F-936A-A4DC91F590B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:business_rules_server:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5435A911-096A-4DEE-9E04-1D3CBF4D98D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:complex_event_processor:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "397D6C9B-62A5-42FC-AB3B-C03598C25A7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:dashboard_server:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AF5FB891-085E-4777-B771-1CDC367B8848",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:data_analytics_server:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "941D83A5-1978-49AE-890D-E31980E2D6AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:data_services_server:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DEC72298-39AC-450F-8419-951057332163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA3B48BB-ECB5-4A94-B76D-97BC3D303E9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_mobility_manager:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A9D6FCEF-7685-42DD-B322-AD87B5F37574",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:governance_registry:5.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C7B815FD-E12D-46CE-94B3-06ED2C75285D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0375C318-ECD2-4657-A0D7-4A0708266FBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:iot_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "00E81462-A034-4540-A086-7D836C6B17E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:machine_learner:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CE333EE1-8158-40AF-8367-ACDCAA498516",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:message_broker:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C8E3ADAB-067C-4D18-BDCA-43DDC607E4BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:storage_server:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0036440-3C00-4776-8DF6-AC30256EADBD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter."
},
{
"lang": "es",
"value": "WSO2 Data Analytics Server 3.1.0 tiene una vulnerabilidad de tipo Cross-Site Scripting (XSS) en carbon/resources/add_collection_ajaxprocessor.jsp mediante los par\u00e1metros collectionName o parentPath."
}
],
"id": "CVE-2017-14651",
"lastModified": "2024-11-21T03:13:17.600",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-21T18:29:00.167",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://github.com/cybersecurityworks/Disclosed/issues/15"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-27 16:15
Modified
2024-11-21 05:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 2.2.0 | |
| wso2 | api_manager_analytics | 2.2.0 | |
| wso2 | api_microgateway | 2.2.0 | |
| wso2 | data_analytics_server | 3.2.0 | |
| wso2 | enterprise_integrator | * | |
| wso2 | identity_server | 5.5.0 | |
| wso2 | identity_server | 5.8.0 | |
| wso2 | identity_server_analytics | 5.5.0 | |
| wso2 | identity_server_as_key_manager | 5.5.0 | |
| wso2 | iot_server | 3.3.0 | |
| wso2 | iot_server | 3.3.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6819491F-C6C3-41C1-B27A-0D0B62224977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ADEAF56C-4583-40A6-826F-01AC86191AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "79CDDE83-4CB6-4DA3-8E96-FCDA4F5C1E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:data_analytics_server:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CCDDFAB-C8FC-41C4-9872-667C442F119B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "16E39585-2B28-4631-A62F-27F17DC9AB4A",
"versionEndIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8DA0050E-D5DD-45E5-9F61-DC1BB060EFF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2B169832-A746-49A6-8E92-06624AA9B13A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "42BFE7A0-A168-4C1E-8725-41DD500C837E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4F0F121-700C-4D30-BAFC-960DCC56F08B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:iot_server:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FCAD802D-4746-49D2-AC21-7956F46274A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:iot_server:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "53EC589C-09C6-440C-AF9A-DD86A23311FE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en determinados productos WSO2. Se puede enviar una cookie de sesi\u00f3n v\u00e1lida de Carbon Management Console hacia un servidor controlado por el atacante si la v\u00edctima env\u00eda una petici\u00f3n Try It dise\u00f1ada, tambi\u00e9n se conoce como Session Hijacking. Esto afecta a API Manager versi\u00f3n 2.2.0, API Manager Analytics versi\u00f3n 2.2.0, API Microgateway versi\u00f3n 2.2.0, Data Analytics Server versi\u00f3n 3.2.0, Enterprise Integrator versiones hasta 6.6.0, IS as Key Manager versi\u00f3n 5.5.0, Identity Server versiones 5.5.0 y 5.8 .0, Identity Server Analytics versi\u00f3n 5.5.0 y IoT Server versiones 3.3.0 y 3.3.1"
}
],
"id": "CVE-2020-24703",
"lastModified": "2024-11-21T05:15:52.450",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-27T16:15:11.583",
"references": [
{
"source": "cve@mitre.org",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0687/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0687/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-27 16:15
Modified
2024-11-21 05:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 2.2.0 | |
| wso2 | api_manager_analytics | 2.2.0 | |
| wso2 | api_microgateway | 2.2.0 | |
| wso2 | data_analytics_server | 3.2.0 | |
| wso2 | enterprise_integrator | * | |
| wso2 | identity_server | 5.5.0 | |
| wso2 | identity_server | 5.8.0 | |
| wso2 | identity_server_analytics | 5.5.0 | |
| wso2 | identity_server_as_key_manager | 5.5.0 | |
| wso2 | iot_server | 3.3.0 | |
| wso2 | iot_server | 3.3.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6819491F-C6C3-41C1-B27A-0D0B62224977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ADEAF56C-4583-40A6-826F-01AC86191AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "79CDDE83-4CB6-4DA3-8E96-FCDA4F5C1E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:data_analytics_server:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CCDDFAB-C8FC-41C4-9872-667C442F119B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "16E39585-2B28-4631-A62F-27F17DC9AB4A",
"versionEndIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8DA0050E-D5DD-45E5-9F61-DC1BB060EFF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2B169832-A746-49A6-8E92-06624AA9B13A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "42BFE7A0-A168-4C1E-8725-41DD500C837E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4F0F121-700C-4D30-BAFC-960DCC56F08B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:iot_server:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FCAD802D-4746-49D2-AC21-7956F46274A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:iot_server:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "53EC589C-09C6-440C-AF9A-DD86A23311FE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en determinados productos WSO2. La herramienta Try It permite un ataque de tipo XSS Reflejado. Esto afecta a API Manager versi\u00f3n 2.2.0, API Manager Analytics versi\u00f3n 2.2.0, API Microgateway versi\u00f3n 2.2.0, Data Analytics Server versi\u00f3n 3.2.0, Enterprise Integrator versiones hasta 6.6.0, IS as Key Manager versi\u00f3n 5.5.0, Identity Server versiones 5.5.0 y 5.8 .0, Identity Server Analytics versi\u00f3n 5.5.0 y IoT Server versiones 3.3.0 y 3.3.1"
}
],
"id": "CVE-2020-24704",
"lastModified": "2024-11-21T05:15:52.603",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-27T16:15:11.677",
"references": [
{
"source": "cve@mitre.org",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0685/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0685/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-27 16:15
Modified
2024-11-21 05:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | * | |
| wso2 | api_manager_analytics | 2.5.0 | |
| wso2 | identity_server | * | |
| wso2 | identity_server_analytics | * | |
| wso2 | identity_server_as_key_manager | * | |
| wso2 | iot_server | 3.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E2E71049-86F8-479F-8D9D-2D67B2CC6EB4",
"versionEndIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04A2A50A-872E-4CC7-BBB7-3E0956176AAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5601E5C8-011F-4FF3-A327-3B2D637EAC79",
"versionEndIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:*:*:*:*:*:*:*:*",
"matchCriteriaId": "05810F17-3BC8-400A-92BF-0D51E3580409",
"versionEndIncluding": "5.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78933A5F-C186-47B9-8EC3-161C4451B719",
"versionEndIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:iot_server:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "663657FF-9D02-49A2-B988-315D52D7E220",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en determinados productos WSO2. Se puede enviar una cookie de sesi\u00f3n v\u00e1lida de Carbon Management Console hacia un servidor controlado por el atacante si la v\u00edctima env\u00eda una petici\u00f3n Try It dise\u00f1ada, tambi\u00e9n se conoce como Session Hijacking. Esto afecta a API Manager versiones hasta 3.1.0, API Manager Analytics versi\u00f3n 2.5.0, IS as Key Manager versiones hasta 5.10.0, Identity Server versiones hasta 5.10.0, Identity Server Analytics versiones hasta 5.6.0 e IoT Server 3.1.0"
}
],
"id": "CVE-2020-24705",
"lastModified": "2024-11-21T05:15:52.763",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-27T16:15:11.753",
"references": [
{
"source": "cve@mitre.org",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-12-07 21:15
Modified
2024-11-21 06:14
Severity ?
Summary
In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.)
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 3.0.0 | |
| wso2 | api_manager | 3.1.0 | |
| wso2 | api_manager | 3.2.0 | |
| wso2 | api_manager | 4.0.0 | |
| wso2 | identity_server | 5.7.0 | |
| wso2 | identity_server | 5.8.0 | |
| wso2 | identity_server | 5.9.0 | |
| wso2 | identity_server | 5.10.0 | |
| wso2 | identity_server | 5.11.0 | |
| wso2 | identity_server_as_key_manager | 5.3.0 | |
| wso2 | identity_server_as_key_manager | 5.5.0 | |
| wso2 | identity_server_as_key_manager | 5.6.0 | |
| wso2 | identity_server_as_key_manager | 5.7.0 | |
| wso2 | identity_server_as_key_manager | 5.9.0 | |
| wso2 | identity_server_as_key_manager | 5.10.0 | |
| wso2 | iot_server | 3.3.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF14774-8935-4FC9-B5C8-9771B3D6EBFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60781FE4-38A3-4FEA-9D8B-CADE4B535974",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2B169832-A746-49A6-8E92-06624AA9B13A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "981D701D-E381-484A-9614-CD0EF0331071",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2153AECE-020A-4C01-B2A6-F9F5D98E7EBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "104DBA04-538E-4CC5-9B6C-CFEDB40375AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4F0F121-700C-4D30-BAFC-960DCC56F08B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E5761F7-C287-4EC4-A899-C54FB4E80A35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3B184BFC-8E1A-4971-B6D2-C594742AB8CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EA51AC1B-0BF6-44F6-B034-CAD4F623DD76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6BB34405-A2F1-461A-B51B-E103BB3680A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:iot_server:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "53EC589C-09C6-440C-AF9A-DD86A23311FE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.)"
},
{
"lang": "es",
"value": "En el archivo accountrecoveryendpoint/recoverpassword.do en WSO2 Identity Server versi\u00f3n 5.7.0, es posible llevar a cabo un ataque de tipo XSS basado en DOM que afecta al par\u00e1metro callback modificando la URL que precede al par\u00e1metro callback. Una vez que el procedimiento de restablecimiento del nombre de usuario o de la contrase\u00f1a ha sido completado, el c\u00f3digo JavaScript ser\u00e1 ejecutado. (recoverpassword.do tambi\u00e9n presenta un problema de redireccionamiento abierto por un motivo similar)"
}
],
"id": "CVE-2021-36760",
"lastModified": "2024-11-21T06:14:02.127",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-07T21:15:08.297",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/2021+Advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1314"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/2021+Advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1314"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-15 10:15
Modified
2024-11-21 08:44
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 2.2.0 | |
| wso2 | api_manager | 2.5.0 | |
| wso2 | api_manager | 2.6.0 | |
| wso2 | iot_server | 3.3.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6819491F-C6C3-41C1-B27A-0D0B62224977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0D57C8CF-084D-4142-9AF1-7C9F1261A3BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BC168B6A-B15A-4C3B-A38D-C0B65F24F333",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:iot_server:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "53EC589C-09C6-440C-AF9A-DD86A23311FE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum\u00a0feature, API rating could be manipulated."
},
{
"lang": "es",
"value": "Se han identificado varios productos WSO2 como vulnerables debido a la falta de validaci\u00f3n de entrada del lado del servidor en la funci\u00f3n Foro; la clasificaci\u00f3n API podr\u00eda manipularse."
}
],
"id": "CVE-2023-6835",
"lastModified": "2024-11-21T08:44:38.680",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-15T10:15:09.043",
"references": [
{
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1357/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1357/"
}
],
"sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-27 16:15
Modified
2024-11-21 05:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | * | |
| wso2 | api_manager_analytics | 2.5.0 | |
| wso2 | identity_server | * | |
| wso2 | identity_server_analytics | * | |
| wso2 | identity_server_as_key_manager | * | |
| wso2 | iot_server | 3.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E2E71049-86F8-479F-8D9D-2D67B2CC6EB4",
"versionEndIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04A2A50A-872E-4CC7-BBB7-3E0956176AAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5601E5C8-011F-4FF3-A327-3B2D637EAC79",
"versionEndIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:*:*:*:*:*:*:*:*",
"matchCriteriaId": "05810F17-3BC8-400A-92BF-0D51E3580409",
"versionEndIncluding": "5.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78933A5F-C186-47B9-8EC3-161C4451B719",
"versionEndIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:iot_server:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "663657FF-9D02-49A2-B988-315D52D7E220",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en determinados productos WSO2. La herramienta Try It permite un ataque de tipo XSS Reflejado. Esto afecta a API Manager versiones hasta 3.1.0, API Manager Analytics versi\u00f3n 2.5.0, IS as Key Manager versiones hasta 5.10.0, Identity Server versiones hasta 5.10.0, Identity Server Analytics versiones hasta 5.6.0 y IoT Server versi\u00f3n 3.1.0"
}
],
"id": "CVE-2020-24706",
"lastModified": "2024-11-21T05:15:53.777",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-27T16:15:11.877",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0718"
},
{
"source": "cve@mitre.org",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0718"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}