CVE-2022-29548

21.04.2022, 02:15

A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.6 MEDIUM	ADJACENT_NETWORK	LOW	NONE	CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
mitre	CNA	4.6 MEDIUM	ADJACENT_NETWORK	LOW	NONE	CVSS:3.1/AC:L/AV:A/A:N/C:L/I:L/PR:N/S:U/UI:R
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 98%

Vendor	Product	Version
wso2	api_manager	2.2.0
wso2	api_manager	2.5.0
wso2	api_manager	2.6.0
wso2	api_manager	3.0.0
wso2	api_manager	3.1.0
wso2	api_manager	3.2.0
wso2	api_manager	4.0.0
wso2	api_manager_analytics	2.2.0
wso2	api_manager_analytics	2.5.0
wso2	api_manager_analytics	2.6.0
wso2	api_microgateway	2.2.0
wso2	data_analytics_server	3.2.0
wso2	enterprise_integrator	6.2.0
wso2	enterprise_integrator	6.3.0
wso2	enterprise_integrator	6.4.0
wso2	enterprise_integrator	6.5.0
wso2	enterprise_integrator	6.6.0
wso2	identity_server	5.5.0
wso2	identity_server	5.6.0
wso2	identity_server	5.7.0
wso2	identity_server	5.9.0
wso2	identity_server	5.10.0
wso2	identity_server	5.11.0
wso2	identity_server_analytics	5.5.0
wso2	identity_server_analytics	5.6.0
wso2	identity_server_as_key_manager	5.5.0
wso2	identity_server_as_key_manager	5.6.0
wso2	identity_server_as_key_manager	5.7.0
wso2	identity_server_as_key_manager	5.9.0
wso2	identity_server_as_key_manager	5.10.0
wso2	micro_integrator	1.0.0

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

http://packetstormsecurity.com/files/167587/WSO2-Management-Console-Cross-Site-Scripting.html

https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1603/

http://packetstormsecurity.com/files/167587/WSO2-Management-Console-Cross-Site-Scripting.html

https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1603/