WSO2 API Manager and Identity Server Authentication Endpoint Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the authentication endpoint of WSO2 API Manager versions 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0, and WSO2 Identity Server versions 5.11.0 and 5.10.0. The vulnerability arises because the authentication endpoint does not properly encode user input before displaying it on the web page, which allows for script injection. An attacker could exploit this by injecting malicious scripts that could be executed in the context of the user's browser. Potential consequences include redirecting the user to a malicious website, altering the web page's user interface, or extracting information from the browser. However, session hijacking is not a risk in this case, as session-related cookies are protected by the httpOnly flag.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser. This could lead to redirection to malicious sites, manipulation of the web interface, or unauthorized access to browser-stored information. Despite these risks, session hijacking is not possible due to the httpOnly flag on session cookies.

Remediation

Users of WSO2 API Manager should update to version 4.1.0 (update level 238), 4.0.0 (update level 375), 3.2.1 (update level 74), 3.2.0 (update level 455) or 3.1.0 (update level 351). WSO2 Identity Server users should update to version 5.11.0 (update level 405) or 5.10.0 (update level 360).