org.wso2.carbon:org.wso2.carbon.ui@4.4.22 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.wso2.carbon:org.wso2.carbon.ui package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

org.wso2.carbon:org.wso2.carbon.ui is a package that provides the Carbon UI

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper output encoding, which can be exploited by tampering the parameter in the Management Console.

Note:

This vulnerability affects the following products:

  1. WSO2 API Manager : 2.2.0 , 2.5.0 , 2.6.0 , 3.0.0 , 3.1.0 , 3.2.0 , 4.0.0

  2. WSO2 API Manager Analytics : 2.2.0 , 2.5.0 , 2.6.0

  3. WSO2 API Microgateway : 2.2.0

  4. WSO2 Data Analytics Server : 3.2.0

  5. WSO2 Enterprise Integrator : 6.2.0 , 6.3.0 , 6.4.0 , 6.5.0 , 6.6.0

  6. WSO2 IS as Key Manager : 5.5.0 , 5.6.0 , 5.7.0 , 5.9.0 , 5.10.0

  7. WSO2 Identity Server : 5.5.0 , 5.6.0 , 5.7.0 , 5.9.0 , 5.10.0 , 5.11.0

  8. WSO2 Identity Server Analytics : 5.5.0 , 5.6.0

  9. WSO2 Micro Integrator : 1.0.0

How to fix Cross-site Scripting (XSS)?

Upgrade org.wso2.carbon:org.wso2.carbon.ui to version 4.6.3-m6 or higher.

[,4.6.3-m6)
  • C
Arbitrary File Upload

org.wso2.carbon:org.wso2.carbon.ui is a package that provides the Carbon UI

Affected versions of this package are vulnerable to Arbitrary File Upload due to improper validation of user input, a malicious actor could upload an arbitrary file to a user-controlled location of the server. By leveraging the arbitrary file upload vulnerability, it is further possible to gain remote code execution on the server.

Note: The vulnerable components are:

  1. WSO2 API Manager 2.2.0 and above

  2. WSO2 Identity Server 5.2.0 and above

  3. WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0

  4. WSO2 Identity Server as Key Manager 5.3.0 and above

  5. WSO2 Enterprise Integrator 6.2.0 and above

How to fix Arbitrary File Upload?

Upgrade org.wso2.carbon:org.wso2.carbon.ui to version 4.7.0-m9 or higher.

[,4.7.0-m9)
  • H
Server-side Request Forgery (SSRF)

org.wso2.carbon:org.wso2.carbon.ui is a package that provides the Carbon UI

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF). A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking.

How to fix Server-side Request Forgery (SSRF)?

Upgrade org.wso2.carbon:org.wso2.carbon.ui to version 4.6.1-m4 or higher.

[,4.6.1-m4)
  • H
Improper Authentication

org.wso2.carbon:org.wso2.carbon.ui is a package that provides the Carbon UI

Affected versions of this package are vulnerable to Improper Authentication. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking.

How to fix Improper Authentication?

Upgrade org.wso2.carbon:org.wso2.carbon.ui to version 4.6.1-m4 or higher.

[,4.6.1-m4)
  • M
Cross-site Scripting (XSS)

org.wso2.carbon:org.wso2.carbon.ui is a package that provides the Carbon UI

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The Try It tool allows Reflected XSS.

How to fix Cross-site Scripting (XSS)?

Upgrade org.wso2.carbon:org.wso2.carbon.ui to version 4.5.1 or higher.

[,4.5.1)
  • M
Cross-site Scripting (XSS)

org.wso2.carbon:org.wso2.carbon.ui is a package that provides the Carbon UI

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The Try It tool allows Reflected XSS.

How to fix Cross-site Scripting (XSS)?

Upgrade org.wso2.carbon:org.wso2.carbon.ui to version 4.6.1-m4 or higher.

[,4.6.1-m4)