Lucene search

MitreCVE-2020-17453

HistoryApr 05, 2021 - 10:15 p.m.

CVE-2020-17453

2021-04-0522:15:12

CWE-79

mitre

web.nvd.nist.gov

cve-2020-17453

wso2

management console

xss

vulnerability

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.008

Percentile

82.2%

JSON

WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.

Affected configurations

Nvd

Node

wso2api_managerRange≤3.2.0

wso2api_manager_analyticsMatch2.2.0

wso2api_manager_analyticsMatch2.5.0

wso2api_manager_analyticsMatch2.6.0

wso2api_microgatewayMatch2.2.0

wso2enterprise_integratorRange≤6.6.0

wso2identity_serverRange≤5.10.0

wso2identity_server_analyticsMatch5.4.0

wso2identity_server_analyticsMatch5.4.1

wso2identity_server_analyticsMatch5.5.0

wso2identity_server_analyticsMatch5.6.0

wso2identity_server_as_key_managerMatch5.5.0

wso2identity_server_as_key_managerMatch5.6.0

wso2identity_server_as_key_managerMatch5.7.0

wso2identity_server_as_key_managerMatch5.9.0

wso2identity_server_as_key_managerMatch5.10.0

wso2micro_integratorMatch1.0.0

VendorProductVersionCPE
wso2api_manager*cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*
wso2api_manager_analytics2.2.0cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*
wso2api_manager_analytics2.5.0cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*
wso2api_manager_analytics2.6.0cpe:2.3:a:wso2:api_manager_analytics:2.6.0:*:*:*:*:*:*:*
wso2api_microgateway2.2.0cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*
wso2enterprise_integrator*cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*
wso2identity_server*cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*
wso2identity_server_analytics5.4.0cpe:2.3:a:wso2:identity_server_analytics:5.4.0:*:*:*:*:*:*:*
wso2identity_server_analytics5.4.1cpe:2.3:a:wso2:identity_server_analytics:5.4.1:*:*:*:*:*:*:*
wso2identity_server_analytics5.5.0cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
wso2	api_manager	*	cpe:2.3:a:wso2:api_manager::::::::
wso2	api_manager_analytics	2.2.0	cpe:2.3:a:wso2:api_manager_analytics:2.2.0:::::::*
wso2	api_manager_analytics	2.5.0	cpe:2.3:a:wso2:api_manager_analytics:2.5.0:::::::*
wso2	api_manager_analytics	2.6.0	cpe:2.3:a:wso2:api_manager_analytics:2.6.0:::::::*
wso2	api_microgateway	2.2.0	cpe:2.3:a:wso2:api_microgateway:2.2.0:::::::*
wso2	enterprise_integrator	*	cpe:2.3:a:wso2:enterprise_integrator::::::::
wso2	identity_server	*	cpe:2.3:a:wso2:identity_server::::::::
wso2	identity_server_analytics	5.4.0	cpe:2.3:a:wso2:identity_server_analytics:5.4.0:::::::*
wso2	identity_server_analytics	5.4.1	cpe:2.3:a:wso2:identity_server_analytics:5.4.1:::::::*
wso2	identity_server_analytics	5.5.0	cpe:2.3:a:wso2:identity_server_analytics:5.5.0:::::::*

Rows per page:

1-10 of 171

References

github.com/JHHAX/CVE-2020-17453-PoC

security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1132/

twitter.com/JacksonHHax/status/1374681422678519813

Social References

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.008

Percentile

82.2%

JSON

Related for CVE-2020-17453