Details of VAR-202008-0562

ID

VAR-202008-0562

CVE

CVE-2020-24704

TITLE

plural WSO2 Cross-site scripting vulnerabilities in products

Trust: 0.8

sources: JVNDB: JVNDB-2020-010580

DESCRIPTION

An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1. plural WSO2 The product contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. There is a cross-site scripting vulnerability in WSO2 products, which is caused by the lack of correct verification of client data in WEB applications. An attacker can use this vulnerability to execute client code

Trust: 2.25

sources: NVD: CVE-2020-24704 // JVNDB: JVNDB-2020-010580 // CNNVD: CNNVD-202008-1348 // VULHUB: VHN-178609

AFFECTED PRODUCTS

vendor:	wso2	model:	iot server	scope:	eq	version:	3.3.0	Trust: 1.8
vendor:	wso2	model:	iot server	scope:	eq	version:	3.3.1	Trust: 1.8
vendor:	wso2	model:	identity server analytics	scope:	eq	version:	5.5.0	Trust: 1.0
vendor:	wso2	model:	identity server	scope:	eq	version:	5.8.0	Trust: 1.0
vendor:	wso2	model:	enterprise integrator	scope:	lte	version:	6.6.0	Trust: 1.0
vendor:	wso2	model:	api manager analytics	scope:	eq	version:	2.2.0	Trust: 1.0
vendor:	wso2	model:	identity server	scope:	eq	version:	5.5.0	Trust: 1.0
vendor:	wso2	model:	api microgateway	scope:	eq	version:	2.2.0	Trust: 1.0
vendor:	wso2	model:	data analytics server	scope:	eq	version:	3.2.0	Trust: 1.0
vendor:	wso2	model:	api manager	scope:	eq	version:	2.2.0	Trust: 1.0
vendor:	wso2	model:	identity server as key manager	scope:	eq	version:	5.5.0	Trust: 1.0
vendor:	wso2	model:	api manager	scope:	-	version:	-	Trust: 0.8
vendor:	wso2	model:	api manager analytics	scope:	-	version:	-	Trust: 0.8
vendor:	wso2	model:	api microgateway	scope:	-	version:	-	Trust: 0.8
vendor:	wso2	model:	data analytics server	scope:	-	version:	-	Trust: 0.8
vendor:	wso2	model:	enterprise integrator	scope:	-	version:	-	Trust: 0.8
vendor:	wso2	model:	identity server	scope:	-	version:	-	Trust: 0.8
vendor:	wso2	model:	identity server analytics	scope:	-	version:	-	Trust: 0.8
vendor:	wso2	model:	identity server as key manager	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-010580 // NVD: CVE-2020-24704

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-24704
value:	MEDIUM
Trust: 1.0
cve@mitre.org:	CVE-2020-24704
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-24704
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202008-1348
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-178609
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-24704
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-178609
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-24704
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2020-010580
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-178609 // JVNDB: JVNDB-2020-010580 // CNNVD: CNNVD-202008-1348 // NVD: CVE-2020-24704 // NVD: CVE-2020-24704

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.1
problemtype:	Cross-site scripting (CWE-79) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-178609 // JVNDB: JVNDB-2020-010580 // NVD: CVE-2020-24704

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202008-1348

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202008-1348

PATCH

title:	WSO2-2020-0685	url:	https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0685	Trust: 0.8
title:	WSO2 Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=127963	Trust: 0.6

sources: JVNDB: JVNDB-2020-010580 // CNNVD: CNNVD-202008-1348

EXTERNAL IDS

db:	NVD	id:	CVE-2020-24704	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-010580	Trust: 0.8
db:	CNNVD	id:	CNNVD-202008-1348	Trust: 0.7
db:	VULHUB	id:	VHN-178609	Trust: 0.1

sources: VULHUB: VHN-178609 // JVNDB: JVNDB-2020-010580 // CNNVD: CNNVD-202008-1348 // NVD: CVE-2020-24704

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2020-24704	Trust: 1.4
url:	https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/wso2-2020-0685/	Trust: 1.0
url:	https://docs.wso2.com/display/security/security+advisory+wso2-2020-0685	Trust: 0.7

sources: VULHUB: VHN-178609 // JVNDB: JVNDB-2020-010580 // CNNVD: CNNVD-202008-1348 // NVD: CVE-2020-24704

SOURCES

db:	VULHUB	id:	VHN-178609
db:	JVNDB	id:	JVNDB-2020-010580
db:	CNNVD	id:	CNNVD-202008-1348
db:	NVD	id:	CVE-2020-24704

LAST UPDATE DATE

2024-11-23T23:11:18.654000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-178609	date:	2020-09-08T00:00:00
db:	JVNDB	id:	JVNDB-2020-010580	date:	2021-01-28T07:56:00
db:	CNNVD	id:	CNNVD-202008-1348	date:	2021-01-05T00:00:00
db:	NVD	id:	CVE-2020-24704	date:	2024-11-21T05:15:52.603

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-178609	date:	2020-08-27T00:00:00
db:	JVNDB	id:	JVNDB-2020-010580	date:	2021-01-28T00:00:00
db:	CNNVD	id:	CNNVD-202008-1348	date:	2020-08-27T00:00:00
db:	NVD	id:	CVE-2020-24704	date:	2020-08-27T16:15:11.677