WSO2 Products Authenticated Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in multiple WSO2 products, including WSO2 API Manager, API Control Plane, Universal Gateway, and Traffic Manager. This vulnerability arises from improper validation of user input during API document uploads in the Publisher portal. A user with publisher privileges can upload a malicious API document containing JavaScript, which is then executed in the browser when accessed by other users. The exploitation could lead to redirection to harmful websites, unauthorized modifications of the user interface, or extraction of data accessible through the browser. However, session-related sensitive cookies are safeguarded by the httpOnly flag, preventing session hijacking.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded malicious scripts are executed in the context of the user viewing the API document.

Remediation

Users of WSO2 API Manager versions 3.2.0, 3.2.1, 4.1.0, 4.2.0, 4.3.0, 4.4.0, and 4.5.0, as well as WSO2 API Control Plane, Universal Gateway, and Traffic Manager, all version 4.5.0, should update to the specified U2 update levels. Community users can apply the public fix available on GitHub. Support subscription holders can use WSO2 Updates to apply the fix.