fkie_cve-2020-27885
Vulnerability from fkie_nvd
Published
2020-10-29 21:15
Modified
2024-11-21 05:21
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s password and invalidate the session of the victim while the hacker maintains access.
References
cve@mitre.orghttps://docs.wso2.com/display/Security/2020+AdvisoriesVendor Advisory
cve@mitre.orghttps://www.rodrigofavarini.com.br/cybersecurity/multiple-xss-on-api-manager-3-1-0/Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://docs.wso2.com/display/Security/2020+AdvisoriesVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.rodrigofavarini.com.br/cybersecurity/multiple-xss-on-api-manager-3-1-0/Exploit, Third Party Advisory
Impacted products
Vendor Product Version
wso2 api_manager 3.1.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user\u2019s session by stealing cookies which means that a malicious hacker can change the logged-in user\u2019s password and invalidate the session of the victim while the hacker maintains access."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en WSO2 API Manager versi\u00f3n 3.1.0. Al explotar una vulnerabilidad de tipo Cross-site scripting el atacante puede secuestrar la sesi\u00f3n de un usuario conectado mediante el robo de cookies, lo que significa que un hacker malicioso puede cambiar la contrase\u00f1a del usuario conectado e invalidar la sesi\u00f3n de la v\u00edctima mientras el hacker mantiene el acceso"
    }
  ],
  "id": "CVE-2020-27885",
  "lastModified": "2024-11-21T05:21:58.937",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-10-29T21:15:15.957",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://docs.wso2.com/display/Security/2020+Advisories"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.rodrigofavarini.com.br/cybersecurity/multiple-xss-on-api-manager-3-1-0/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://docs.wso2.com/display/Security/2020+Advisories"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.rodrigofavarini.com.br/cybersecurity/multiple-xss-on-api-manager-3-1-0/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.