CVE-2019-20436

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect's URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console, and to add and configure claim dialects.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html	Exploit Third Party Advisory
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634	Vendor Advisory
https://github.com/cybersecurityworks/Disclosed/issues/19	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:wso2:api_manager:2.6.0:::::::*
	cpe:2.3:a:wso2:identity_server:5.7.0:::::::*
	cpe:2.3:a:wso2:identity_server:5.8.0:::::::*

History

10 Nov 2022, 04:50

Type	Values Removed	Values Added
References	~~(MISC) https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html -~~	(MISC) https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html - Exploit, Third Party Advisory

Information

Published : 2020-01-28 01:15

Updated : 2023-12-10 13:13

NVD link : CVE-2019-20436

Mitre link : CVE-2019-20436

CVE.ORG link : CVE-2019-20436

JSON object : View

Products Affected

wso2

api_manager
identity_server

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2019-20436", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2020-01-28T01:15:11.957", "references": [{"url": "https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/cybersecurityworks/Disclosed/issues/19", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect's URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console, and to add and configure claim dialects."}, {"lang": "es", "value": "Se detect\u00f3 un problema en WSO2 API Manager versi\u00f3n 2.6.0, WSO2 IS as Key Manager versi\u00f3n 5.7.0 y WSO2 Identity Server versi\u00f3n 5.8.0. Si se presenta un dialecto de reclamo configurado con una carga \u00fatil XSS en el URI de dialecto, y un usuario recoge el URI de este dialecto y lo agrega como el dialecto de reclamo del proveedor de servicios mientras configura el proveedor de servicios, esa carga es ejecutada. El atacante tambi\u00e9n necesita contar con privilegios para iniciar sesi\u00f3n en la consola de administraci\u00f3n y para agregar y configurar dialectos de reclamo."}], "lastModified": "2022-11-10T04:50:10.437", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BC168B6A-B15A-4C3B-A38D-C0B65F24F333"}, {"criteria": "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "60781FE4-38A3-4FEA-9D8B-CADE4B535974"}, {"criteria": "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2B169832-A746-49A6-8E92-06624AA9B13A"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}