CVE-2019-20440

The CVE-2019-20440 entry concerns WSO2 API Manager 2.6.0, describing a potential Reflected Cross-Site Scripting (XSS) vulnerability in the update API documentation feature of the API Publisher. All connected sources reiterate the same issue without providing concrete exploit details, affected sub...

CVE-2019-20440

An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting XSS vulnerability has been identified in the update API documentation feature of the API Publisher...

CVE-2019-20441

An issue was discovered in WSO2 API Manager 2.6.0. A potential Stored Cross-Site Scripting XSS vulnerability has been identified in the 'implement phase' of the API Publisher...

CVE-2019-20441

CVE-2019-20441 affects WSO2 API Manager 2.6.0, with a potential Stored Cross-Site Scripting (XSS) vulnerability in the API Publisher’s implement phase. Publicly documented details consistently describe the issue as a stored XSS in the publisher UI logic, but do not provide concrete exploit chains...

CVE-2019-20442

Root cause: Stored Cross-Site Scripting (XSS) in the registry UI of WSO2 products. Affected: WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. The XSS vulnerability is reported in roleToAuthorize handling. Impact: potential exp...

CVE-2019-20442

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting XSS vulnerability in roleToAuthorize has been identified in the registry UI...

CVE-2019-20443

CVE-2019-20443 affects WSO2 products: API Manager 2.6.0, Enterprise Integrator 6.5.0, Identity Server 5.8.0, and related Key Manager 5.7.0. The issue is a potential stored Cross-Site Scripting (XSS) in the registry UI due to improper handling of mediaType in the UI component. Impact described acr...

CVE-2019-20436

Affected software: WSO2 API Manager 2.6.0; WSO2 IS as Key Manager 5.7.0; WSO2 Identity Server 5.8.0. Issue: configuring a claim dialect whose URI contains an XSS payload can cause execution when the URI is added as a service provider claim dialect during SP configuration, given the attacker has a...

PT-2020-10446 · Wso2 · Wso2 Api Manager

Name of the Vulnerable Software and Affected Versions: WSO2 API Manager version 2.6.0 Description: A reflected XSS attack could be performed in the inline API documentation editor page of the API Publisher by sending an HTTP GET request with a harmful docName request parameter. Recommendations: F...

PT-2020-10447 · Wso2 · Wso2 Identity Server +2

Name of the Vulnerable Software and Affected Versions: WSO2 API Manager version 2.6.0 WSO2 IS as Key Manager version 5.7.0 WSO2 Identity Server version 5.8.0 Description: An issue was discovered where if a claim dialect is configured with an XSS payload in the dialect URI, and a user adds this...

CVE-2019-15108

An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS via a crafted filename to the file-upload feature of the event simulator component...

CVE-2019-15108

An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS via a crafted filename to the file-upload feature of the event simulator component...

Design/Logic Flaw

An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS via a crafted filename to the file-upload feature of the event simulator component...

CVE-2019-15108

CVE-2019-15108 affects WSO2 API Manager 2.6.0 (pre-4.4.0-4457 patch) due to an XSS vulnerability in the file-upload feature of the event simulator component triggered by a crafted filename. The impact is an XSS condition as described in sources. Remediation: apply WSO2-CARBON-PATCH-4.4.0-4457 to ...

CVE-2019-15108

An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS via a crafted filename to the file-upload feature of the event simulator component...

PT-2019-13988 · Wso2 · Wso2 Api Manager

Name of the Vulnerable Software and Affected Versions: WSO2 API Manager versions 2.6.0 through the version before WSO2-CARBON-PATCH-4.4.0-4457 Description: The issue is related to a crafted filename that can cause XSS via the file-upload feature of the event simulator component. Recommendations:...

CVE-2019-6513

An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one...

CVE-2019-6513

An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one...

Design/Logic Flaw

An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one...

CVE-2019-6513

WSO2 API Manager 2.6.0 is affected by CVE-2019-6513: a logged-in user can upload, as API documentation, any type of file by changing its extension to an allowed one. This vulnerability is described across multiple sources (NVD, OSV, CVE records) with the same root issue. No explicit exploits, mit...