PT-2022-25008 · Wso2 · Wso2 Enterprise Integrator
Massimiliano Brolli
+1
·
Published
2022-09-09
·
Updated
2022-09-14
·
CVE-2022-39810
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
WSO2 Enterprise Integrator version 6.4.0
Description
A Reflected Cross-Site Scripting (XSS) issue has been identified in the Management Console under "/carbon/ndatasource/validateconnection/ajaxprocessor.jsp" via the
driver parameter. This could lead to session hijacking or similar attacks, although it is noted that such attacks would not be possible in this case.Recommendations
For WSO2 Enterprise Integrator version 6.4.0, consider disabling access to the "/carbon/ndatasource/validateconnection/ajaxprocessor.jsp" endpoint or restricting the use of the
driver parameter until a patch is available.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wso2 Enterprise Integrator