CVE-2016-4316

Name of the Vulnerable Software and Affected Versions WSO2 Carbon version 4.4.5

Description The issue allows remote attackers to inject arbitrary web script or HTML via several vulnerable parameters, including the setName parameter to "identity-mgt/challenges-mgt.jsp", the webappType or httpPort parameter to "webapp-list/webapp info.jsp", the dsName or description parameter to "ndatasource/newdatasource.jsp", the phase parameter to "viewflows/handlers.jsp", or the url parameter to "ndatasource/validateconnection-ajaxprocessor.jsp".

Recommendations For WSO2 Carbon version 4.4.5, as a temporary workaround, consider restricting access to the affected API endpoints, such as "identity-mgt/challenges-mgt.jsp", "webapp-list/webapp info.jsp", "ndatasource/newdatasource.jsp", "viewflows/handlers.jsp", and "ndatasource/validateconnection-ajaxprocessor.jsp", until a patch is available. Avoid using the vulnerable parameters setName, webappType, httpPort, dsName, description, phase, and url in the respective endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.