Details
-
Type:
Security Vulnerability
-
Status: Resolved
-
Priority:
Highest
-
Resolution: Fixed
-
Affects Version/s: 5.0.0-GA
-
Fix Version/s: 5.0.0-GA, 5.1.0-M6, kernel-4.4.1
-
Component/s: all-identity
-
Labels:None
-
Severity:Critical
-
Estimated Complexity:Moderate
-
Test cases added:Yes
Description
CVE-2015-0038
OVERVIEW
The WSO2 Identity Server 5.0.0 is vulnerable to XSS and CSRF attacks.
Severity: CRITICAL - Patch Immediately.
DESCRIPTION
XSS enables attackers to inject client-side script into web pages viewed by other users. CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
IMPACT
XSS : Could be used by attackers to bypass access controls such as the same-origin policy.
CSRF: Malicious exploit of a website whereby unauthorized commands are transmitted from an user that the website trusts
SOLUTION
Apply the patch WSO2-CARBON-PATCH-4.2.0-1256. Follow the instructions in the README file.
Note. Make sure to apply IS Service Pack-1 (WSO2-IS-5.0.0-SP01) before apply above security patch
ACKNOWLEDGEMENT
WSO2 thanks Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.