WSO2 Products Cross-Site Request Forgery Vulnerability in Admin Services

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in multiple WSO2 products. This issue arises from the use of the HTTP GET method for state-changing operations in admin services, particularly within the event processor of the Carbon console. While the SameSite=Lax cookie attribute is intended as a mitigation, it is ineffective here, as it permits cookies to be sent with cross-origin top-level navigations using GET requests. Exploitation of this vulnerability involves tricking an authenticated user into clicking a malicious link, which can lead to unauthorized state-changing actions such as data modification or account changes. WSO2 Secure Production Guidelines recommend not exposing Carbon console services to untrusted networks, which may lessen the impact in well-secured deployments.

Impact

Exploitation could allow unauthorized users to perform state-changing operations, potentially leading to unauthorized data modifications, account changes, or other administrative actions.