An issue exists in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator up to and including 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
wso2 identity server 5.8.0 |
||
wso2 enterprise integrator |
||
wso2 api microgateway 2.2.0 |
||
wso2 api manager analytics 2.2.0 |
||
wso2 iot server 3.3.1 |
||
wso2 iot server 3.3.0 |
||
wso2 identity server 5.5.0 |
||
wso2 identity server analytics 5.5.0 |
||
wso2 data analytics server 3.2.0 |
||
wso2 identity server as key manager 5.5.0 |
||
wso2 api manager 2.2.0 |