ID

VAR-202112-0340


CVE

CVE-2021-36760


TITLE

WSO2 Identity Server  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-015902

DESCRIPTION

In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.). WSO2 Identity Server Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. WSO2 Identity Server (IS) is an identity authentication server of WSO2 company in the United States. There is a security vulnerability in WSO2 Identity Server. (recoverpassword. No detailed vulnerability details are currently provided

Trust: 2.16

sources: NVD: CVE-2021-36760 // JVNDB: JVNDB-2021-015902 // CNVD: CNVD-2021-100293

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-100293

AFFECTED PRODUCTS

vendor:wso2model:identity serverscope:eqversion:5.7.0

Trust: 1.6

vendor:wso2model:api managerscope:eqversion:3.1.0

Trust: 1.0

vendor:wso2model:identity server as key managerscope:eqversion:5.10.0

Trust: 1.0

vendor:wso2model:identity serverscope:eqversion:5.10.0

Trust: 1.0

vendor:wso2model:identity server as key managerscope:eqversion:5.9.0

Trust: 1.0

vendor:wso2model:identity serverscope:eqversion:5.8.0

Trust: 1.0

vendor:wso2model:api managerscope:eqversion:3.2.0

Trust: 1.0

vendor:wso2model:iot serverscope:eqversion:3.3.1

Trust: 1.0

vendor:wso2model:identity serverscope:eqversion:5.9.0

Trust: 1.0

vendor:wso2model:api managerscope:eqversion:3.0.0

Trust: 1.0

vendor:wso2model:identity server as key managerscope:eqversion:5.5.0

Trust: 1.0

vendor:wso2model:identity server as key managerscope:eqversion:5.6.0

Trust: 1.0

vendor:wso2model:identity serverscope:eqversion:5.11.0

Trust: 1.0

vendor:wso2model:identity server as key managerscope:eqversion:5.7.0

Trust: 1.0

vendor:wso2model:api managerscope:eqversion:4.0.0

Trust: 1.0

vendor:wso2model:identity server as key managerscope:eqversion:5.3.0

Trust: 1.0

vendor:wso2model:identity serverscope: - version: -

Trust: 0.8

vendor:wso2model:api managerscope: - version: -

Trust: 0.8

vendor:wso2model:identity server as key managerscope: - version: -

Trust: 0.8

vendor:wso2model:iot serverscope: - version: -

Trust: 0.8

sources: CNVD: CNVD-2021-100293 // JVNDB: JVNDB-2021-015902 // NVD: CVE-2021-36760

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-36760
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-36760
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2021-100293
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202112-509
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2021-36760
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2021-100293
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-36760
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2021-36760
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-100293 // JVNDB: JVNDB-2021-015902 // CNNVD: CNNVD-202112-509 // NVD: CVE-2021-36760

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-015902 // NVD: CVE-2021-36760

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202112-509

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202112-509

PATCH

title:2021 Advisories WSO2 Platform Securityurl:https://docs.wso2.com/display/Security/2021+Advisories

Trust: 0.8

title:Patch for WSO2 Identity Server Cross-Site Scripting Vulnerability (CNVD-2021-100293)url:https://www.cnvd.org.cn/patchInfo/show/305941

Trust: 0.6

title:WSO2 Identity Server Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=173863

Trust: 0.6

sources: CNVD: CNVD-2021-100293 // JVNDB: JVNDB-2021-015902 // CNNVD: CNNVD-202112-509

EXTERNAL IDS

db:NVDid:CVE-2021-36760

Trust: 3.8

db:JVNDBid:JVNDB-2021-015902

Trust: 0.8

db:CNVDid:CNVD-2021-100293

Trust: 0.6

db:CNNVDid:CNNVD-202112-509

Trust: 0.6

sources: CNVD: CNVD-2021-100293 // JVNDB: JVNDB-2021-015902 // CNNVD: CNNVD-202112-509 // NVD: CVE-2021-36760

REFERENCES

url:https://docs.wso2.com/display/security/2021+advisories

Trust: 1.6

url:https://docs.wso2.com/display/security/security+advisory+wso2-2021-1314

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2021-36760

Trust: 1.4

sources: CNVD: CNVD-2021-100293 // JVNDB: JVNDB-2021-015902 // CNNVD: CNNVD-202112-509 // NVD: CVE-2021-36760

SOURCES

db:CNVDid:CNVD-2021-100293
db:JVNDBid:JVNDB-2021-015902
db:CNNVDid:CNNVD-202112-509
db:NVDid:CVE-2021-36760

LAST UPDATE DATE

2024-08-14T15:42:41.580000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-100293date:2021-12-16T00:00:00
db:JVNDBid:JVNDB-2021-015902date:2022-12-02T04:38:00
db:CNNVDid:CNNVD-202112-509date:2021-12-10T00:00:00
db:NVDid:CVE-2021-36760date:2021-12-09T17:50:00.903

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-100293date:2021-12-16T00:00:00
db:JVNDBid:JVNDB-2021-015902date:2022-12-02T00:00:00
db:CNNVDid:CNNVD-202112-509date:2021-12-07T00:00:00
db:NVDid:CVE-2021-36760date:2021-12-07T21:15:08.297