cbcvebase.
CVE-2020-17453
published 2021-04-05

CVE-2020-17453: WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.

PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
26.12%
97.7th percentile
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.

Affected

17 ranges
VendorProductVersion rangeFixed in
wso2api_manager<= 3.2.0
wso2api_manager_analytics
wso2api_manager_analytics
wso2api_manager_analytics
wso2api_microgateway
wso2enterprise_integrator<= 6.6.0
wso2identity_server<= 5.10.0
wso2identity_server_analytics
wso2identity_server_analytics
wso2identity_server_analytics
wso2identity_server_analytics
wso2identity_server_as_key_manager
wso2identity_server_as_key_manager
wso2identity_server_as_key_manager
wso2identity_server_as_key_manager
wso2identity_server_as_key_manager
wso2micro_integrator

Detection & IOCsextracted from sources · hover to see the quote

url/carbon/admin/login.jsp?msgId=%27%3Balert(%27document.domain%27)%2F%2F
path/carbon/admin/login.jsp
  • Look for the XSS payload string in HTTP response body: the reflected parameter value '';alert('document.domain')//; appearing in the login page body indicates successful exploitation.
  • The vulnerable parameter is `msgId` in a GET request to /carbon/admin/login.jsp. Monitor for URL-encoded JavaScript injection patterns (e.g., %27%3B, %2F%2F) in this parameter.
  • Use the Google dork inurl:"carbon/admin/login" to identify exposed WSO2 Management Console instances susceptible to this CVE.
  • This vulnerability is exploitable in both authenticated and unauthenticated requests — detection should cover pre-login traffic to the login.jsp endpoint.
  • Identify WSO2 Carbon Management Console instances via Shodan favicon hash 1398055326 or FOFA icon_hash=1398055326 for asset discovery and exposure assessment.
  • ·The nuclei template requires an HTTP 200 response, the string '';alert('document.domain')//; in the body, AND text/html in the response header — all three conditions must match for a confirmed finding.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.