CVE-2020-24705
First published: Thu Aug 27 2020(Updated: )
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| <=3.1.0 | ||
| =2.5.0 | ||
| <=5.10.0 | ||
| <=5.6.0 | ||
| <=5.10.0 | ||
| =3.1.0 | ||
| WSO2 API Manager | <=3.1.0 | |
| Wso2 Api Manager Analytics | =2.5.0 | |
| WSO2 Identity Server | <=5.10.0 | |
| WSO2 Identity Server Analytics | <=5.6.0 | |
| WSO2 Identity Server as Key Manager | <=5.10.0 | |
| Wso2 Iot Server | =3.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this issue in certain WSO2 products?
The vulnerability ID of this issue in certain WSO2 products is CVE-2020-24705.
What is the severity level of CVE-2020-24705?
The severity level of CVE-2020-24705 is high with a score of 8.8.
Which WSO2 products are affected by CVE-2020-24705?
The WSO2 products affected by CVE-2020-24705 include API Manager (up to version 3.1.0), API Manager Analytics (version 2.5.0), Identity Server (up to version 5.10.0), Identity Server Analytics (up to version 5.6.0), and Identity Server as Key Manager (up to version 5.10.0).
What is the description of CVE-2020-24705?
CVE-2020-24705 is a vulnerability in certain WSO2 products where a valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, leading to session hijacking.
Where can I find more information about CVE-2020-24705?
You can find more information about CVE-2020-24705 at the following link: [Security Advisory WSO2-2020-0718](https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0718).
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/author
- agent/references
- agent/severity
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/wso2
- canonical/wso2 api manager
- version/wso2 api manager/3.1.0
- canonical/wso2 api manager analytics
- version/wso2 api manager analytics/2.5.0
- canonical/wso2 identity server
- version/wso2 identity server/5.10.0
- canonical/wso2 identity server analytics
- version/wso2 identity server analytics/5.6.0
- canonical/wso2 identity server as key manager
- version/wso2 identity server as key manager/5.10.0
- canonical/wso2 iot server
- version/wso2 iot server/3.1.0