WSO2 Management Console XML Injection

2022.06.20
Credit: Hakan Bayir
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

XML External Entity (XXE) vulnerability in the WSO2 Management Console I. VULNERABILITY ------------------------- XML External Entity (XXE) II. CVE REFERENCE ------------------------- CVE-2021-42646 III. VENDOR ------------------------- https://wso2.com/ IV. TIMELINE ------------------------- 14/02/2021 Vulnerability discovered 14/02/2021 Vendor contacted 01/07/2021 WSO2 replay that they fixed V. CREDIT ------------------------- Hakan Bayir at Cyberwise. VI. DESCRIPTION ------------------------- An XML External Entity vulnerability was identified in the file based service provider creation feature of the Management Console. https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1289 VII. Remediation ------------------------- If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes. Otherwise you may apply the relevant fixes to the product based on the public fix: https://github.com/wso2/carbon-identity-framework/pull/3472 -- Hakan Bayır


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top