WSO2 has released a fix for a Reflected Cross-Site Scripting (XSS) vulnerability in the Management Console. The vulnerability, tracked as CVE-2022-29548, can be exploited by tampering with the parameter in the Management Console. This vulnerability exists due to improper output encoding and affects various WSO2 products.
WSO2 is an open-source software provider that offers an enterprise platform for integrating application programming interfaces (APIs), applications, and web services locally and across the Internet.
There are three main types of XSS attacks.
- Reflected XSS: Occurs when user input is immediately returned by a web application in an error message, search result, or any other response.
- Stored XSS: Occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc.
- DOM-based XSS: A form of XSS where the entire tainted data flow from source to sink takes place in the browser and the data flow never leaves the browser.
The vulnerable versions of the WSO2 management console have an improper output encoding which allows an attacker to perform the Reflected Cross-Site Scripting (XSS) attack by altering the parameters of the management console.
According to the vendor, successful exploitation of this vulnerability allows a malicious actor to redirect the browser to a malicious website, make changes in the UI (User Interface) of the web page, retrieve information from the browser, or harm otherwise. However, since all the session-related sensitive cookies are set with the
httpOnly flag and protected, session hijacking or similar attacks would not be possible.
errorCode URL parameter. The associated vulnerable endpoint is
At Qualys Labs, we tested the vulnerability on multiple WSO2 products.
Product: WSO2 API manager
Image Source: Qualys Labs
Product: WSO2 Identity Server
Image Source: Qualys Labs
- WSO2 Micro Integrator: 1.0.0
- WSO2 API Microgateway: 2.2.0
- WSO2 Data Analytics Server: 3.2.0
- WSO2 Identity Server Analytics: 5.5.0, 5.6.0
- WSO2 API Manager Analytics: 2.2.0, 2.5.0, 2.6.0
- WSO2 IS as Key Manager: 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0
- WSO2 Enterprise Integrator: 6.2.0, 6.3.0, 6.4.0, 6.5.0, 6.6.0
- WSO2 Identity Server: 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, 5.11.0
- WSO2 API Manager: 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, 4.0.0
The vendor has released a patch addressing the XSS vulnerability. Customers can refer to the WSO2 Security Advisory WSO2-2021-1603 to know more about patch details.
Qualys customers can scan their devices with QID 730513 to detect vulnerable assets.
Continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.