CVE-2019-20437

Source
https://cve.org/CVERecord?id=CVE-2019-20437
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-20437.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-20437
Published
2020-01-28T01:15:12.037Z
Modified
2026-07-08T05:55:00.751970227Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. When a custom claim dialect with an XSS payload is configured in the identity provider basic claim configuration, that payload gets executed, if a user picks up that dialect's URI as the provisioning claim in the advanced claim configuration of the same Identity Provider. The attacker also needs to have privileges to log in to the management console, and to add and update identity provider configurations.

Database specific
{
    "unresolved_ranges": [
        {
            "cpes": [
                "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "5.7.0"
                },
                {
                    "last_affected": "5.7.0"
                },
                {
                    "introduced": "5.8.0"
                },
                {
                    "last_affected": "5.8.0"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "wso2:identity_server"
        }
    ]
}
References

Affected packages

Git / github.com/wso2/product-apim

Affected ranges

Type
GIT
Repo
https://github.com/wso2/product-apim
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "2.6.0"
        },
        {
            "last_affected": "2.6.0"
        }
    ],
    "cpe": "cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*",
    "source": "CPE_STRING"
}

Affected versions

2.*
2.6.0
v2.*
v2.6.0
v2.6.0-rc3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-20437.json"