WSO2 Products Server-Side Request Forgery and Reflected Cross-Site Scripting Vulnerability

A vulnerability allowing server-side request forgery (SSRF) and reflected cross-site scripting (XSS) has been identified in multiple WSO2 products, including WSO2 API Manager, WSO2 Identity Server, and WSO2 Traffic Manager, all version 4.5.0. This vulnerability resides within the deprecated Try-It feature, accessible only to administrative users. The feature improperly validated user-supplied URLs, enabling SSRF by allowing the server to fetch external content. The retrieved content was then directly reflected in the HTTP response, creating an opportunity for reflected XSS by injecting malicious scripts that would execute in the admin user's browser context. Although session cookies are safeguarded with the HttpOnly flag, this XSS vulnerability still presents a considerable security risk. Additionally, the SSRF component can be exploited by privileged users to query internal services, potentially facilitating internal network enumeration if the target endpoints are accessible from the affected WSO2 product.

Impact

Exploitation of this vulnerability could lead to a combination of SSRF and XSS. By deceiving an administrator into clicking a crafted link, an attacker could have the server retrieve harmful content that is then reflected in the admin's browser, allowing execution of arbitrary JavaScript to manipulate the user interface or steal data. The SSRF aspect could also be used by an admin to access internal services, helping to map out non-public network resources.

Remediation

WSO2 has removed the vulnerable Try-It feature in version 4.5.0 for all affected products. Community users should apply the public fix available on the WSO2 GitHub repository or migrate to the latest unaffected version. Support subscription holders can update to the specified update level using WSO2 Updates.