Uploaded image for project: 'WSO2 Identity Server'
  1. WSO2 Identity Server
  2. IDENTITY-3280

The WSO2 Identity Server 5.0.0 is vulnerable to XSS and CSRF attacks.

    Details

    • Severity:
      Critical
    • Estimated Complexity:
      Moderate
    • Test cases added:
      Yes

      Description

      CVE-2015-0038

      OVERVIEW
      The WSO2 Identity Server 5.0.0 is vulnerable to XSS and CSRF attacks.
      Severity: CRITICAL - Patch Immediately.

      DESCRIPTION
      XSS enables attackers to inject client-side script into web pages viewed by other users. CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated

      IMPACT
      XSS : Could be used by attackers to bypass access controls such as the same-origin policy.
      CSRF: Malicious exploit of a website whereby unauthorized commands are transmitted from an user that the website trusts

      SOLUTION
      Apply the patch WSO2-CARBON-PATCH-4.2.0-1256. Follow the instructions in the README file.

      Note. Make sure to apply IS Service Pack-1 (WSO2-IS-5.0.0-SP01) before apply above security patch

      ACKNOWLEDGEMENT
      WSO2 thanks Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.

        Attachments

          Activity

            People

            • Assignee:
              johann@wso2.com Johann Nallathamby
              Reporter:
              johann@wso2.com Johann Nallathamby
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: