Cross-Site Scripting Vulnerability in WSO2 Management Console
CVE-2020-17453

6.1MEDIUM

Key Information:

Vendor: Wso2
Status: Identity Server As Key Manager; Enterprise Integrator; Api Microgateway; Identity Server
Vendor: CVE Published:; 5 April 2021

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 72%

What is CVE-2020-17453?

The WSO2 Management Console prior to version 5.10 is susceptible to a Cross-Site Scripting (XSS) attack. This vulnerability arises due to insufficient validation of the 'msgId' parameter in the carbon/admin/login.jsp file. An attacker can exploit this flaw to inject malicious scripts into the web interface, potentially compromising sensitive user session data and executing malicious code in the context of the user's session.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-17453
Created by karthi-the-hacker

CVE-2020-17453-PoC
Created by ydycjz6j

References

https://twitter.com/JacksonHHax/status/1374681422678519813

https://github.com/JHHAX/CVE-2020-17453-PoC

https://security.docs.wso2.com/en/latest/security-announc...

EPSS Score

72% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 20, 2023
👾
Exploit known to exist
Apr 20, 2023
Vulnerability published
Apr 5, 2021
Vulnerability Reserved
Aug 9, 2020

Wso2