CVE-2019-20436

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-20436
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-20436.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-20436
Published
2020-01-28T01:15:11Z
Modified
2024-09-03T02:34:34.231609Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect's URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console, and to add and configure claim dialects.

References

Affected packages

Git / github.com/wso2/product-apim

Affected ranges

Type
GIT
Repo
https://github.com/wso2/product-apim
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

test-tag-1.*

test-tag-1.9.0-Alpha

v1.*

v1.10.0
v1.10.0-Alpha
v1.10.0-Beta
v1.10.0-rc3
v1.10.0-rc4
v1.9.0
v1.9.0-Alpha
v1.9.0-Beta
v1.9.0-Beta-2
v1.9.0-Beta-3
v1.9.0-M2

v2.*

v2.0.0
v2.0.0-ALPHA
v2.0.0-BETA
v2.0.0-M1
v2.0.0-M2
v2.0.0-M3
v2.0.0-M4
v2.0.0-M5
v2.0.0-beta2
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.0.0-rc4
v2.0.0-rc5
v2.1.0-alpha
v2.1.0-update1
v2.1.0-update10
v2.1.0-update11
v2.1.0-update12
v2.1.0-update13
v2.1.0-update14
v2.1.0-update2
v2.1.0-update3
v2.1.0-update4
v2.1.0-update5
v2.1.0-update6
v2.1.0-update7
v2.1.0-update8
v2.1.0-update9
v2.2.0
v2.2.0-update1
v2.2.0-update2
v2.2.0-update3
v2.2.0-update4
v2.2.0-update5
v2.2.0-update6
v2.2.0-update7
v2.5.0
v2.5.0-Alpha
v2.5.0-Beta
v2.5.0-rc1
v2.5.0-rc2
v2.5.0-rc3
v2.5.0-rc4
v2.6.0
v2.6.0-alpha
v2.6.0-alpha2
v2.6.0-beta
v2.6.0-beta2
v2.6.0-m1
v2.6.0-m2
v2.6.0-rc1
v2.6.0-rc2
v2.6.0-rc3