CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 2CVE-2019-20443
https://notcve.org/view.php?id=CVE-2019-20443
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in mediaType has been identified in the registry UI. Se detectó un problema en WSO2 API Manager versión 2.6.0, WSO2 Enterprise Integrator versión 6.5.0, WSO2 IS as Key Manager versión 5.7.0 y WSO2 Identity Server versión 5.8.0. Se identificó una potencial vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenado en mediaType en la Interfaz de Usuario de registro. • https://cybersecurityworks.com/zerodays/cve-2019-20443-wso2.html https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636 https://github.com/cybersecurityworks/Disclosed/issues/26 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 2CVE-2019-20436
https://notcve.org/view.php?id=CVE-2019-20436
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect's URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console, and to add and configure claim dialects. Se detectó un problema en WSO2 API Manager versión 2.6.0, WSO2 IS as Key Manager versión 5.7.0 y WSO2 Identity Server versión 5.8.0. Si se presenta un dialecto de reclamo configurado con una carga útil XSS en el URI de dialecto, y un usuario recoge el URI de este dialecto y lo agrega como el dialecto de reclamo del proveedor de servicios mientras configura el proveedor de servicios, esa carga es ejecutada. • https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634 https://github.com/cybersecurityworks/Disclosed/issues/19 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-15108
https://notcve.org/view.php?id=CVE-2019-15108
An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS via a crafted filename to the file-upload feature of the event simulator component. Se descubrió un problema en WSO2 API Manager versiones 2.6.0 anteriores a WSO2-CARBON-PATCH-4.4.0-4457. Se presenta una vulnerabilidad de tipo XSS por medio de un nombre de archivo diseñado para la funcionalidad de carga de archivos del componente simulador de eventos. • https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0597 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-6513
https://notcve.org/view.php?id=CVE-2019-6513
An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one. Se encontró un problema en WSO2 API Manager 2.6.0. Es posible que un usuario logeado cargue, como documentación API, algún tipo de archivo cambiando la extensión a una permitida. • https://www.excellium-services.com/cert-xlm-advisory https://www.excellium-services.com/cert-xlm-advisory/cve-2019-6513 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-6515
https://notcve.org/view.php?id=CVE-2019-6515
An issue was discovered in WSO2 API Manager 2.6.0. Uploaded documents for API documentation are available to an unauthenticated user. Se descubrió un problema en WSO2 API Manager versión 2.6.0. Los documentos cargados para la documentación de la API están disponibles para un usuario no identificado. • https://wso2.com/security-patch-releases/api-manager https://www.excellium-services.com/cert-xlm-advisory •