Sathish Kumar Balakrishnan

**Name of the Vulnerable Software and Affected Versions** WSO2 API Manager version 2.6.0 **Description** A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Datasource creation page of the Management Console. **Recommendations** For WSO2 API Manager version 2.6.0, consider restricting access to the Datasource creation page of the Management Console until a patch is available. As a temporary workaround, avoid using the Datasource creation functionality in the Management Console to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WSO2 API Manager version 2.6.0 **Description** A reflected XSS attack could be performed in the inline API documentation editor page of the API Publisher by sending an HTTP GET request with a harmful `docName` request parameter. **Recommendations** For WSO2 API Manager version 2.6.0, consider restricting access to the inline API documentation editor page until a fix is available, and avoid using harmful `docName` request parameters in HTTP GET requests.

**Name of the Vulnerable Software and Affected Versions** WSO2 API Manager version 2.6.0 WSO2 IS as Key Manager version 5.7.0 WSO2 Identity Server version 5.8.0 **Description** An issue was discovered where if a claim dialect is configured with an XSS payload in the dialect URI, and a user adds this dialect's URI as the service provider claim dialect while configuring the service provider, the payload gets executed. The attacker needs to have privileges to log in to the management console and to add and configure claim dialects. **Recommendations** For WSO2 API Manager version 2.6.0, consider disabling the claim dialect configuration feature until a patch is available. For WSO2 IS as Key Manager version 5.7.0, restrict access to the management console to minimize the risk of exploitation. For WSO2 Identity Server version 5.8.0, avoid using the claim dialect URI in the service provider configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WSO2 API Manager version 2.6.0 WSO2 IS as Key Manager version 5.7.0 WSO2 Identity Server version 5.8.0 **Description** An issue was discovered where a custom claim dialect with an XSS payload, when configured in the identity provider basic claim configuration, gets executed if a user picks up that dialect's URI as the provisioning claim in the advanced claim configuration of the same Identity Provider. The attacker needs to have privileges to log in to the management console and to add and update identity provider configurations. **Recommendations** For WSO2 API Manager version 2.6.0, consider disabling the custom claim dialect configuration until a patch is available. For WSO2 IS as Key Manager version 5.7.0, restrict access to the identity provider basic claim configuration to minimize the risk of exploitation. For WSO2 Identity Server version 5.8.0, avoid using the provisioning claim in the advanced claim configuration until the issue is resolved. As a temporary workaround, consider restricting privileges to log in to the management console and to add and update identity provider configurations.

**Name of the Vulnerable Software and Affected Versions** WSO2 API Manager version 2.6.0 **Description** A potential stored Cross-Site Scripting (XSS) issue has been identified in the inline API documentation editor page of the API Publisher. This could allow for malicious scripts to be stored and executed, potentially affecting users of the API Manager. **Recommendations** For WSO2 API Manager version 2.6.0, consider disabling the inline API documentation editor page until a patch is available to prevent potential exploitation of the stored Cross-Site Scripting issue.

**Name of the Vulnerable Software and Affected Versions** WSO2 API Manager version 2.6.0 **Description** A potential Reflected Cross-Site Scripting (XSS) issue has been identified in defining a scope in the "manage the API" page of the API Publisher. **Recommendations** For WSO2 API Manager version 2.6.0, consider restricting access to the "manage the API" page of the API Publisher until a fix is available. As a temporary workaround, avoid using the scope definition feature in the API Publisher to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WSO2 API Manager version 2.6.0 **Description** A potential Reflected Cross-Site Scripting (XSS) issue has been identified in the update API documentation feature of the API Publisher. This could potentially allow for malicious script execution. **Recommendations** For WSO2 API Manager version 2.6.0, consider disabling the update API documentation feature in the API Publisher until a patch is available. Restrict access to this feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WSO2 API Manager version 2.6.0 **Description** A potential Stored Cross-Site Scripting (XSS) issue has been identified in the 'implement phase' of the API Publisher. This could allow for malicious scripts to be stored and executed, potentially leading to security breaches. **Recommendations** For WSO2 API Manager version 2.6.0, consider disabling the 'implement phase' of the API Publisher until a patch is available to prevent potential exploitation of the Stored Cross-Site Scripting (XSS) issue.

**Name of the Vulnerable Software and Affected Versions** WSO2 API Manager version 2.6.0 WSO2 Enterprise Integrator version 6.5.0 WSO2 IS as Key Manager version 5.7.0 WSO2 Identity Server version 5.8.0 **Description** A potential stored Cross-Site Scripting (XSS) vulnerability has been identified in the `roleToAuthorize` component of the registry UI. This issue affects the specified WSO2 products, potentially allowing for malicious script execution. **Recommendations** For WSO2 API Manager version 2.6.0, update to a version that includes a fix for the stored Cross-Site Scripting vulnerability. For WSO2 Enterprise Integrator version 6.5.0, update to a version that includes a fix for the stored Cross-Site Scripting vulnerability. For WSO2 IS as Key Manager version 5.7.0, update to a version that includes a fix for the stored Cross-Site Scripting vulnerability. For WSO2 Identity Server version 5.8.0, update to a version that includes a fix for the stored Cross-Site Scripting vulnerability. As a temporary workaround, consider restricting access to the registry UI to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WSO2 API Manager version 2.6.0 WSO2 Enterprise Integrator version 6.5.0 WSO2 IS as Key Manager version 5.7.0 WSO2 Identity Server version 5.8.0 **Description** A potential stored Cross-Site Scripting (XSS) vulnerability has been identified in the `mediaType` in the registry UI. This issue affects the mentioned WSO2 products, potentially allowing for malicious script execution. **Recommendations** For WSO2 API Manager version 2.6.0, update to a version that includes a fix for the stored Cross-Site Scripting vulnerability. For WSO2 Enterprise Integrator version 6.5.0, update to a version that includes a fix for the stored Cross-Site Scripting vulnerability. For WSO2 IS as Key Manager version 5.7.0, update to a version that includes a fix for the stored Cross-Site Scripting vulnerability. For WSO2 Identity Server version 5.8.0, update to a version that includes a fix for the stored Cross-Site Scripting vulnerability. As a temporary workaround, consider restricting access to the registry UI to minimize the risk of exploitation.