CVE-2020-17454: XSS
First published: Wed Oct 21 2020(Updated: )
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal box appears that writes an error message concatenated to the injected payload (without any form of data encoding). This can also be exploited via CSRF.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WSO2 API Manager | <=3.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID of WSO2 API Manager?
The vulnerability ID of WSO2 API Manager is CVE-2020-17454.
What is the severity level of CVE-2020-17454?
The severity level of CVE-2020-17454 is medium, with a score of 6.1.
How can the reflected XSS vulnerability be exploited in WSO2 API Manager?
The reflected XSS vulnerability in WSO2 API Manager can be exploited by injecting an XSS payload into the owner POST parameter which does not filter user inputs.
What is the affected software version of WSO2 API Manager?
WSO2 API Manager version 3.1.0 and earlier are affected by this vulnerability.
Is there a security advisory available for CVE-2020-17454?
Yes, there is a security advisory available for CVE-2020-17454 at the following link: [Security Advisory WSO2-2020-0843](https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0843).
- collector/nvd-index
- agent/weakness
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/author
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- vendor/wso2
- canonical/wso2 api manager
- version/wso2 api manager/3.1.0