CVE-2020-24703

Name of the Vulnerable Software and Affected Versions WSO2 API Manager versions 2.2.0 WSO2 API Manager Analytics versions 2.2.0 WSO2 API Microgateway versions 2.2.0 WSO2 Data Analytics Server versions 3.2.0 WSO2 Enterprise Integrator versions through 6.6.0 WSO2 IS as Key Manager versions 5.5.0 WSO2 Identity Server versions 5.5.0 and 5.8.0 WSO2 Identity Server Analytics versions 5.5.0 WSO2 IoT Server versions 3.3.0 and 3.3.1

Description An issue was discovered in certain WSO2 products where a valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, also known as Session Hijacking.

Recommendations For WSO2 API Manager version 2.2.0, update to a newer version to mitigate the risk. For WSO2 API Manager Analytics version 2.2.0, update to a newer version to mitigate the risk. For WSO2 API Microgateway version 2.2.0, update to a newer version to mitigate the risk. For WSO2 Data Analytics Server version 3.2.0, update to a newer version to mitigate the risk. For WSO2 Enterprise Integrator versions through 6.6.0, update to a version later than 6.6.0 to mitigate the risk. For WSO2 IS as Key Manager version 5.5.0, update to a newer version to mitigate the risk. For WSO2 Identity Server versions 5.5.0 and 5.8.0, update to a version later than 5.8.0 to mitigate the risk. For WSO2 Identity Server Analytics version 5.5.0, update to a newer version to mitigate the risk. For WSO2 IoT Server versions 3.3.0 and 3.3.1, update to a version later than 3.3.1 to mitigate the risk.