CVE-2024-8008
Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products via JDBC User Store Connection Validation
A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page.
This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Produtos afetados
WSO2 · WSO2 API Control PlaneWSO2 · WSO2 API ManagerWSO2 · WSO2 Carbon Identity User Store Configuration UIWSO2 · WSO2 Enterprise IntegratorWSO2 · WSO2 Identity ServerWSO2 · WSO2 Identity Server as Key ManagerWSO2 · WSO2 Open Banking AMWSO2 · WSO2 Open Banking IAMWSO2 · WSO2 Traffic ManagerWSO2 · WSO2 Universal GatewayQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →