Description
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.
Remediation
References
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/
Related Vulnerabilities
CVE-2022-2217 Vulnerability in npm package parse-url
CVE-2023-48238 Vulnerability in npm package json-web-token
CVE-2020-7777 Vulnerability in npm package jsen
CVE-2021-27515 Vulnerability in maven package org.webjars.npm:url-parse
CVE-2022-36894 Vulnerability in maven package org.jenkins-ci.plugins:clif-performance-testing