Vulnerabilities > CVE-2020-24703 - Unspecified vulnerability in Wso2 products

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

wso2

NVD

Published: 2020-08-27

Updated: 2024-01-11

Summary

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1.

Vulnerable Configurations

Part	Description	Count
Application	Wso2 Wso2 Identity Server 5.8.0 Wso2 Identity Server 5.5.0 Wso2 Enterprise Integrator 6.1.1 Wso2 Enterprise Integrator 6.2.0 Wso2 Enterprise Integrator 6.3.0 Wso2 Enterprise Integrator 6.4.0 Wso2 Enterprise Integrator 6.5.0 Wso2 Enterprise Integrator 6.6.0 Wso2 API Microgateway 2.2.0 Wso2 API Manager Analytics 2.2.0 Wso2 IOT Server 3.3.1 Wso2 IOT Server 3.3.0 Wso2 Identity Server Analytics 5.5.0 Wso2 Data Analytics Server 3.2.0 Wso2 Identity Server AS KEY Manager 5.5.0 Wso2 API Manager 2.2.0	16

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0687/