CVE-2019-20437

Name of the Vulnerable Software and Affected Versions WSO2 API Manager version 2.6.0 WSO2 IS as Key Manager version 5.7.0 WSO2 Identity Server version 5.8.0

Description An issue was discovered where a custom claim dialect with an XSS payload, when configured in the identity provider basic claim configuration, gets executed if a user picks up that dialect's URI as the provisioning claim in the advanced claim configuration of the same Identity Provider. The attacker needs to have privileges to log in to the management console and to add and update identity provider configurations.

Recommendations For WSO2 API Manager version 2.6.0, consider disabling the custom claim dialect configuration until a patch is available. For WSO2 IS as Key Manager version 5.7.0, restrict access to the identity provider basic claim configuration to minimize the risk of exploitation. For WSO2 Identity Server version 5.8.0, avoid using the provisioning claim in the advanced claim configuration until the issue is resolved. As a temporary workaround, consider restricting privileges to log in to the management console and to add and update identity provider configurations.