// For flags

CVE-2020-17454

 

Severity Score

6.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal box appears that writes an error message concatenated to the injected payload (without any form of data encoding). This can also be exploited via CSRF.

WSO2 API Manager versiones 3.1.0 y anteriores, presenta una vulnerabilidad de tipo XSS reflejado en la interfaz de administración del componente "publisher". Más precisamente, es posible inyectar una carga útil XSS en el parámetro POST del propietario, que no filtra las entradas del usuario. Al colocar una carga útil XSS en lugar de un Nombre de Propietario válido, aparece un cuadro modal que escribe un mensaje de error concatenado con la carga útil inyectada (sin ningún tipo de codificación de datos). Esto también puede ser explotado por medio de un ataque de tipo CSRF

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-08-09 CVE Reserved
  • 2020-10-21 CVE Published
  • 2024-08-04 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Wso2
Search vendor "Wso2"
 Api Manager
Search vendor "Wso2" for product "Api Manager"
 <= 3.1.0
Search vendor "Wso2" for product "Api Manager" and version " <= 3.1.0"
-
Affected