Stored Cross-Site Scripting Vulnerability in WSO2 API Manager and Identity Server
CVE-2019-20442

3.5LOW

Key Information:

Vendor

Wso2

Status
Api Manager
Identity Server
Enterprise Integrator
Vendor
CVE Published:
28 January 2020

What is CVE-2019-20442?

A potential stored Cross-Site Scripting (XSS) vulnerability has been identified in the WSO2 registry UI, specifically within the roleToAuthorize feature. This vulnerability affects multiple WSO2 products, including the API Manager, Enterprise Integrator, Key Manager, and Identity Server. Attackers could exploit this flaw to inject malicious scripts that are stored and executed on the client side, potentially compromising user accounts and sensitive data.

References

https://docs.wso2.com/display/Security/Security+Advisory+...
x_refsource_MISC
https://github.com/cybersecurityworks/Disclosed/issues/25
x_refsource_MISC
https://cybersecurityworks.com/zerodays/cve-2019-20442-ws...
x_refsource_MISC

CVSS V3.1

Score:
3.5
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.