PT-2020-15816 · Wso2 · Wso2 Identity Server Analytics+5
Published
2020-08-27
·
Updated
2024-01-11
·
CVE-2020-24705
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WSO2 API Manager versions through 3.1.0
WSO2 API Manager Analytics version 2.5.0
WSO2 IS as Key Manager versions through 5.10.0
WSO2 Identity Server versions through 5.10.0
WSO2 Identity Server Analytics versions through 5.6.0
WSO2 IoT Server version 3.1.0
Description
An issue was discovered in certain WSO2 products where a valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, also known as Session Hijacking.
Recommendations
For WSO2 API Manager versions through 3.1.0, update to a version later than 3.1.0 to resolve the issue.
For WSO2 API Manager Analytics version 2.5.0, update to a version later than 2.5.0 to resolve the issue.
For WSO2 IS as Key Manager versions through 5.10.0, update to a version later than 5.10.0 to resolve the issue.
For WSO2 Identity Server versions through 5.10.0, update to a version later than 5.10.0 to resolve the issue.
For WSO2 Identity Server Analytics versions through 5.6.0, update to a version later than 5.6.0 to resolve the issue.
For WSO2 IoT Server version 3.1.0, update to a version later than 3.1.0 to resolve the issue.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Wso2 Api Manager
Wso2 Api Manager Analytics
Wso2 Is As Key Manager
Wso2 Identity Server
Wso2 Identity Server Analytics
Wso2 Iot Server