{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect's URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console, and to add and configure claim dialects."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-29T20:05:03", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/cybersecurityworks/Disclosed/issues/19"}, {"tags": ["x_refsource_MISC"], "url": "https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2019-20436", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect's URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console, and to add and configure claim dialects."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634", "refsource": "MISC", "url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634"}, {"name": "https://github.com/cybersecurityworks/Disclosed/issues/19", "refsource": "MISC", "url": "https://github.com/cybersecurityworks/Disclosed/issues/19"}, {"name": "https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html", "refsource": "MISC", "url": "https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T02:39:09.966Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cybersecurityworks/Disclosed/issues/19"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-20436", "datePublished": "2020-01-27T23:36:25", "dateReserved": "2020-01-27T00:00:00", "dateUpdated": "2024-08-05T02:39:09.966Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "BC168B6A-B15A-4C3B-A38D-C0B65F24F333", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "60781FE4-38A3-4FEA-9D8B-CADE4B535974", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "2B169832-A746-49A6-8E92-06624AA9B13A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect's URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console, and to add and configure claim dialects."}, {"lang": "es", "value": "Se detect\u00f3 un problema en WSO2 API Manager versi\u00f3n 2.6.0, WSO2 IS as Key Manager versi\u00f3n 5.7.0 y WSO2 Identity Server versi\u00f3n 5.8.0. Si se presenta un dialecto de reclamo configurado con una carga \u00fatil XSS en el URI de dialecto, y un usuario recoge el URI de este dialecto y lo agrega como el dialecto de reclamo del proveedor de servicios mientras configura el proveedor de servicios, esa carga es ejecutada. El atacante tambi\u00e9n necesita contar con privilegios para iniciar sesi\u00f3n en la consola de administraci\u00f3n y para agregar y configurar dialectos de reclamo."}], "id": "CVE-2019-20436", "lastModified": "2024-11-21T04:38:28.637", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "[email protected]", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "[email protected]", "type": "Primary"}]}, "published": "2020-01-28T01:15:11.957", "references": [{"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634"}, {"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/cybersecurityworks/Disclosed/issues/19"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://cybersecurityworks.com/zerodays/cve-2019-20436-wso2.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/cybersecurityworks/Disclosed/issues/19"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Primary"}]}

{}