CVE-2020-17454

Name of the Vulnerable Software and Affected Versions WSO2 API Manager versions 3.1.0 and earlier

Description The issue concerns a reflected XSS in the 'publisher' component's admin interface. Specifically, an XSS payload can be injected into the owner POST parameter due to lack of filtering of user inputs. By placing an XSS payload in the Owner Name field, a modal box appears with an error message that includes the injected payload without any data encoding, allowing for potential exploitation. This can also be exploited via CSRF.

Recommendations For WSO2 API Manager versions 3.1.0 and earlier, consider disabling the owner parameter in the 'publisher' component's admin interface as a temporary workaround until a patch is available. Restrict access to the admin interface to minimize the risk of exploitation. Avoid using the owner parameter in the affected POST request until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.