However, it would be possible to perform similar attacks as with any other CMS. For example, an attacker could use the username and password of the remote user to log into the CMS.
To protect against such attacks, we recommend the following: Use a strong password for the carbon_study_user and carbon_study_password fields.
and fields. Use the HTTPS protocol when accessing the Management Console.
Make sure that the remote host is properly configured to receive unencrypted HTTP traffic.
Ensure that the remote host does not block all unencrypted traffic. WSO2 recommends using a firewall application or other security mechanism for this purpose. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/mediation_secure_vault/properties/ajaxprocessor.jsp via the name parameter. Session hijacking or similar attacks would not be possible.
If you are using a remote host that cannot receive unencrypted HTTP traffic, we recommend the following: Use a strong password for the carbon_study_user and carbon_study_password fields.
and fields. Use the HTTPS protocol when accessing the Management Console.
Make sure that the remote host is properly configured to receive unencrypted HTTP traffic.
Ensure that the remote host does not block all unencrypted traffic. WSO2 recommends using a firewall application or other security mechanism for this purpose. A Reflected Cross-
Technical details
A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/mediation_secure_vault/properties/ajaxprocessor.jsp via the name parameter. Session hijacking or similar attacks would not be possible.
WSO2 recommends using a firewall application or other security mechanism for this purpose. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/mediation_secure_vault/properties/ajaxprocessor.jsp via the name parameter. Session hijacking or similar attacks would not be possible.
If you are using a remote host that cannot receive unencrypted HTTP traffic, we recommend the following: Use a strong password for the carbon_study_user and carbon_study_password fields.
Use the HTTPS protocol when accessing the Management Console.
Make sure that the remote host is properly configured to receive unencrypted HTTP traffic.
Timeline
Published on: 09/09/2022 17:15:00 UTC
Last modified on: 09/14/2022 16:42:00 UTC