Description

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.

Remediation

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/

Related Vulnerabilities

CVE-2013-6407 Vulnerability in maven package org.apache.solr:solr-core

CVE-2020-11971 Vulnerability in maven package org.apache.camel:camel-api

CVE-2020-13956 Vulnerability in maven package org.apache.httpcomponents.client5:httpclient5

CVE-2023-44487 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2017-4960 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-server

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

NVD-CWE-noinfo