Description
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1.
Remediation
References
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0687/
Related Vulnerabilities
CVE-2021-4307 Vulnerability in npm package baobab
CVE-2019-19771 Vulnerability in npm package colne
CVE-2012-1724 Vulnerability in maven package xerces:xercesimpl
CVE-2023-25822 Vulnerability in maven package com.epam.reportportal:service-api
CVE-2022-39135 Vulnerability in maven package org.apache.calcite:calcite-core