WSO2 IS as Key Manager 5.7.0 allows web vulnerabilities

hugeously Overview :

An attacker can trick a privileged user while using WSO2 IS as Key Manager

Egra Affected Product(s) :

WSO2 IS as Key Manager 5.7.0

Vulnerability Details :

CVE ID :	CVE-2019-18882
	A reflected XSS attack could be performed in the dashboard user profile by sending an HTTP GET request with harmful request parameters. Further, a stored XSS attack could be performed in the download-userinfo. jag due to an improper Content-Type of the downloading content.
CVE ID :	CVE-2019-18881
	WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.

Solution :

Apply the following patch based on your product version by following the instructions in the README file. If you have any questions, post them to security@wso2.com.

Please download the relevant patch based on the product you use following the matrix below. The patch can also be downloaded from http://wso2.com/security-patch-releases/.

Code	Product	Version	Patch
IS KM	WSO2 IS as Key Manager	5.7.0	WSO2-CARBON-PATCH-4.4.0-5019

Contact us to get started

CVE-2024-7261 : ZYXEL NWA1123ACV3/WAC500/WAX655E/WBE530/USG LITE 60AX COOKIE HOST OS COMMAND INJECTION

Description The improper neutralization of special elements in the parameter “host” in the CGI program of Zyxel NWA1123ACv3 firmware version

Learn more

CVE-2024-1621 : NT-WARE UNIFLOW ONLINE UP TO 2024.1.0 REGISTRATION VERIFICATION OF SOURCE

Description The registration process of uniFLOW Online (NT-ware product) apps, prior to and including version 2024.1.0, can be compromised when

Learn more

CVE-2024-45623 : D-LINK DAP-2310 1.16RC028 ATP BINARY STACK-BASED OVERFLOW

Description D-Link DAP-2310 Hardware A Firmware 1.16RC028 allows remote attackers to execute arbitrary code via a stack-based buffer overflow in

Learn more