Description

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.

Remediation

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/

Related Vulnerabilities

CVE-2020-27218 Vulnerability in maven package org.eclipse.jetty:jetty-server

CVE-2018-16487 Vulnerability in maven package org.fujion.webjars:lodash

CVE-2023-34238 Vulnerability in npm package gatsby-transformer-remark

CVE-2019-19771 Vulnerability in npm package hw-trnasport-u2f

CVE-2020-13444 Vulnerability in maven package com.liferay:com.liferay.dynamic.data.mapping.service

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

NVD-CWE-noinfo