CVE-2022-29548

Exploit

EPSS 79.28%
Published 21.04.2022 02:15:06
Last modified 21.11.2024 06:59:18
Source cve@mitre.org
Teams watchlist Login
Open Login

A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.

Affected products Warnungen 0 Metrics 4 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Wso2 ≫ Api Manager Version2.2.0

Wso2 ≫ Api Manager Version2.5.0

Wso2 ≫ Api Manager Version2.6.0

Wso2 ≫ Api Manager Version3.0.0

Wso2 ≫ Api Manager Version3.1.0

Wso2 ≫ Api Manager Version3.2.0

Wso2 ≫ Api Manager Version4.0.0

Wso2 ≫ Api Manager Analytics Version2.2.0

Wso2 ≫ Api Manager Analytics Version2.5.0

Wso2 ≫ Api Manager Analytics Version2.6.0

Wso2 ≫ Api Microgateway Version2.2.0

Wso2 ≫ Data Analytics Server Version3.2.0

Wso2 ≫ Enterprise Integrator Version6.2.0

Wso2 ≫ Enterprise Integrator Version6.3.0

Wso2 ≫ Enterprise Integrator Version6.4.0

Wso2 ≫ Enterprise Integrator Version6.5.0

Wso2 ≫ Enterprise Integrator Version6.6.0

Wso2 ≫ Identity Server Version5.5.0

Wso2 ≫ Identity Server Version5.6.0

Wso2 ≫ Identity Server Version5.7.0

Wso2 ≫ Identity Server Version5.9.0

Wso2 ≫ Identity Server Version5.10.0

Wso2 ≫ Identity Server Version5.11.0

Wso2 ≫ Identity Server Analytics Version5.5.0

Wso2 ≫ Identity Server Analytics Version5.6.0

Wso2 ≫ Identity Server As Key Manager Version5.5.0

Wso2 ≫ Identity Server As Key Manager Version5.6.0

Wso2 ≫ Identity Server As Key Manager Version5.7.0

Wso2 ≫ Identity Server As Key Manager Version5.9.0

Wso2 ≫ Identity Server As Key Manager Version5.10.0

Wso2 ≫ Micro Integrator Version1.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	79.28%	0.99

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
cve@mitre.org	4.6	2.1	2.5	CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://packetstormsecurity.com/files/167587/WSO2-Management-Console-Cross-Site-Scripting.html

Third Party Advisory

Exploit

VDB Entry

https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603

Vendor Advisory

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1603/

https://nvd.nist.gov/vuln/detail/CVE-2022-29548

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-29548

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-29548

EUVD