CVE-2019-20436

Name of the Vulnerable Software and Affected Versions WSO2 API Manager version 2.6.0 WSO2 IS as Key Manager version 5.7.0 WSO2 Identity Server version 5.8.0

Description An issue was discovered where if a claim dialect is configured with an XSS payload in the dialect URI, and a user adds this dialect's URI as the service provider claim dialect while configuring the service provider, the payload gets executed. The attacker needs to have privileges to log in to the management console and to add and configure claim dialects.

Recommendations For WSO2 API Manager version 2.6.0, consider disabling the claim dialect configuration feature until a patch is available. For WSO2 IS as Key Manager version 5.7.0, restrict access to the management console to minimize the risk of exploitation. For WSO2 Identity Server version 5.8.0, avoid using the claim dialect URI in the service provider configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.