CVE-2021-36760: XSS
First published: Tue Dec 07 2021(Updated: )
In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.)
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WSO2 API Manager | =3.0.0 | |
| WSO2 API Manager | =3.1.0 | |
| WSO2 API Manager | =3.2.0 | |
| WSO2 API Manager | =4.0.0 | |
| WSO2 Identity Server | =5.7.0 | |
| WSO2 Identity Server | =5.8.0 | |
| WSO2 Identity Server | =5.9.0 | |
| WSO2 Identity Server | =5.10.0 | |
| WSO2 Identity Server | =5.11.0 | |
| WSO2 Identity Server as Key Manager | =5.3.0 | |
| WSO2 Identity Server as Key Manager | =5.5.0 | |
| WSO2 Identity Server as Key Manager | =5.6.0 | |
| WSO2 Identity Server as Key Manager | =5.7.0 | |
| WSO2 Identity Server as Key Manager | =5.9.0 | |
| WSO2 Identity Server as Key Manager | =5.10.0 | |
| Wso2 Iot Server | =3.3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-36760?
The severity of CVE-2021-36760 is medium with a CVSS score of 6.1.
Which software versions are affected by CVE-2021-36760?
CVE-2021-36760 affects WSO2 Identity Server versions 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0, as well as WSO2 Identity Server as Key Manager versions 5.3.0, 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0.
What is the vulnerability description of CVE-2021-36760?
CVE-2021-36760 is a DOM-Based XSS vulnerability in WSO2 Identity Server 5.7.0 that allows an attacker to modify the URL and execute malicious JavaScript code during the username or password reset procedure.
How can I fix CVE-2021-36760?
To fix CVE-2021-36760, it is recommended to upgrade to a fixed version of WSO2 Identity Server or apply the necessary security patches provided by the vendor.
Where can I find more information about CVE-2021-36760?
More information about CVE-2021-36760 can be found in the WSO2 Security Advisories documentation, specifically advisory WSO2-2021-1314.
- collector/nvd-index
- agent/author
- agent/severity
- agent/event
- agent/references
- agent/weakness
- agent/type
- agent/description
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/wso2
- canonical/wso2 api manager
- version/wso2 api manager/3.0.0
- version/wso2 api manager/3.1.0
- version/wso2 api manager/3.2.0
- version/wso2 api manager/4.0.0
- canonical/wso2 identity server
- version/wso2 identity server/5.7.0
- version/wso2 identity server/5.8.0
- version/wso2 identity server/5.9.0
- version/wso2 identity server/5.10.0
- version/wso2 identity server/5.11.0
- canonical/wso2 identity server as key manager
- version/wso2 identity server as key manager/5.3.0
- version/wso2 identity server as key manager/5.5.0
- version/wso2 identity server as key manager/5.6.0
- version/wso2 identity server as key manager/5.7.0
- version/wso2 identity server as key manager/5.9.0
- version/wso2 identity server as key manager/5.10.0
- canonical/wso2 iot server
- version/wso2 iot server/3.3.1