RSS   Vulnerabilities for 'Api manager'   RSS

2021-04-05
 
CVE-2020-17453

CWE-79
 

 
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.

 
2020-10-29
 
CVE-2020-27885

CWE-79
 

 

 
2020-10-21
 
CVE-2020-17454

CWE-79
 

 
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal box appears that writes an error message concatenated to the injected payload (without any form of data encoding). This can also be exploited via CSRF.

 
2020-08-27
 
CVE-2020-24706

CWE-79
 

 
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.

 
2020-08-21
 
CVE-2020-24591

CWE-776
 

 
The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.

 
 
CVE-2020-24590

CWE-776
 

 
The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML Entity Expansion attacks.

 
 
CVE-2020-24589

CWE-776
 

 
The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks.

 
2020-06-06
 
CVE-2020-13883

CWE-611
 

 
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.

 
2020-05-20
 
CVE-2020-13226

CWE-918
 

 
WSO2 API Manager 3.0.0 does not properly restrict outbound network access from a Publisher node, opening up the possibility of SSRF to this node's entire intranet.

 
2020-05-08
 
CVE-2020-12719

CWE-611
 

 
XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier.

 


Copyright 2021, cxsecurity.com

 

Back to Top