Abstract Advisory Information
A DOM-based XSS exists on the store part of the product.
Authors: Julien Oury–Nogues
Version affected
Name: WSO2 API Manager
Versions: 2.6.0
Common Vulnerability Scoring System
2.0
CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Patches
http://product-dist.wso2.com/downloads/carbon/wilkes/patch3475/WSO2-CARBON-PATCH-4.4.0-3475.zip
References
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0501
Vulnerability Disclosure Timeline
- 19/10/2018 : Vulnerability discovered
- 22/10/2018 : Contact WSO2 security team
- 29/01/2019 : Public disclosure