CVE-2020-17453
published 2021-04-05CVE-2020-17453: WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
26.12%
97.7th percentile
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | api_manager | <= 3.2.0 | — |
| wso2 | api_manager_analytics | — | — |
| wso2 | api_manager_analytics | — | — |
| wso2 | api_manager_analytics | — | — |
| wso2 | api_microgateway | — | — |
| wso2 | enterprise_integrator | <= 6.6.0 | — |
| wso2 | identity_server | <= 5.10.0 | — |
| wso2 | identity_server_analytics | — | — |
| wso2 | identity_server_analytics | — | — |
| wso2 | identity_server_analytics | — | — |
| wso2 | identity_server_analytics | — | — |
| wso2 | identity_server_as_key_manager | — | — |
| wso2 | identity_server_as_key_manager | — | — |
| wso2 | identity_server_as_key_manager | — | — |
| wso2 | identity_server_as_key_manager | — | — |
| wso2 | identity_server_as_key_manager | — | — |
| wso2 | micro_integrator | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/carbon/admin/login.jsp?msgId=%27%3Balert(%27document.domain%27)%2F%2F
- →Look for the XSS payload string in HTTP response body: the reflected parameter value '';alert('document.domain')//; appearing in the login page body indicates successful exploitation.
- →The vulnerable parameter is `msgId` in a GET request to /carbon/admin/login.jsp. Monitor for URL-encoded JavaScript injection patterns (e.g., %27%3B, %2F%2F) in this parameter.
- →Use the Google dork inurl:"carbon/admin/login" to identify exposed WSO2 Management Console instances susceptible to this CVE.
- →This vulnerability is exploitable in both authenticated and unauthenticated requests — detection should cover pre-login traffic to the login.jsp endpoint.
- →Identify WSO2 Carbon Management Console instances via Shodan favicon hash 1398055326 or FOFA icon_hash=1398055326 for asset discovery and exposure assessment.
- ·The nuclei template requires an HTTP 200 response, the string '';alert('document.domain')//; in the body, AND text/html in the response header — all three conditions must match for a confirmed finding.
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5q6x-p849-7jj8: WSO2 Management Console through 5
ghsa_unreviewed·2022-05-24
CVE-2020-17453 [MEDIUM] CWE-79 GHSA-5q6x-p849-7jj8: WSO2 Management Console through 5
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
VulnCheck
WSO2 api_manager Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2020·CVSS 6.1
CVE-2020-17453 [MEDIUM] WSO2 api_manager Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
WSO2 api_manager Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
Affected: WSO2 api_manager
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2020-17453; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2020-17453; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-24&host_type=src&vulnerability=cve-202
No detection rules found.
Nuclei
WSO2 Carbon Management Console <=5.10 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2020-17453 [MEDIUM] WSO2 Carbon Management Console <=5.10 - Cross-Site Scripting
WSO2 Carbon Management Console <=5.10 - Cross-Site Scripting
WSO2 Management Console through 5.10 is susceptible to reflected cross-site scripting which can be exploited by tampering a request parameter in Management Console. This can be performed in both authenticated and unauthenticated requests.
Template:
id: CVE-2020-17453
info:
name: WSO2 Carbon Management Console <=5.10 - Cross-Site Scripting
author: madrobot
severity: medium
description: WSO2 Management Console through 5.10 is susceptible to reflected cross-site scripting which can be exploited by tampering a request parameter in Management Console. This can be performed in both authenticated and unauthenticated requests.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScr
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
HackerOne
Cross-site Scripting (XSS) - Reflected on https://api.mtn.sd/carbon/admin/login.jsp via `msgId` parameter - CVE-2020-17453
hackerone·2024-08-24·CVSS 6.1
CVE-2020-17453 [MEDIUM] Cross-site Scripting (XSS) - Reflected on https://api.mtn.sd/carbon/admin/login.jsp via `msgId` parameter - CVE-2020-17453
Cross-site Scripting (XSS) - Reflected on https://api.mtn.sd/carbon/admin/login.jsp via `msgId` parameter - CVE-2020-17453
Hello,
I found a Reflected Cross site Scripting (XSS) on https://api.mtn.sd/carbon/admin/login.jsp, CVE-2020-17453 . With this security flaw is possible rewrite the content of page, executing JS codes...
##Steps To Reproduce:
How we can reproduce the issue:
1.Go to https://api.mtn.sd/carbon/admin/login.jsp?msgId=%27%3Balert(%27Renzi%27)%2F%2F
2.And we can see alert with Renzi message...
{F1259562}
Supporting Material/References:
* https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-1132
* https://owasp.org/www-community/attacks/xss/
## Impact
* The attacker can execute JS code.
* Rewrite the content of Page
https://github.com/JHHAX/CVE-2020-17453-PoChttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1132/https://twitter.com/JacksonHHax/status/1374681422678519813https://github.com/JHHAX/CVE-2020-17453-PoChttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1132/https://twitter.com/JacksonHHax/status/1374681422678519813
2021-04-05
Published
Exploited in the wild