Description
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.
Remediation
References
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/
Related Vulnerabilities
CVE-2020-11974 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-dao
CVE-2023-30543 Vulnerability in npm package @web3-react/walletconnect
CVE-2019-1003032 Vulnerability in maven package org.jenkins-ci.plugins:email-ext
CVE-2023-3431 Vulnerability in maven package net.sourceforge.plantuml:plantuml
CVE-2023-30465 Vulnerability in maven package org.apache.inlong:manager-service