Description

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.

Remediation

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/

Related Vulnerabilities

CVE-2023-31133 Vulnerability in npm package ghost

CVE-2019-19771 Vulnerability in npm package bictoin-ops

CVE-2019-19771 Vulnerability in npm package bs85check

CVE-2018-1288 Vulnerability in maven package org.apache.kafka:kafka_2.11

CVE-2020-6460 Vulnerability in maven package org.webjars.npm:electron

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

NVD-CWE-noinfo