Vulnerability Details : CVE-2022-29548
Potential exploit
A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2022-29548
- cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server:5.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:enterprise_integrator:6.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:enterprise_integrator:6.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:enterprise_integrator:6.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:enterprise_integrator:6.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:api_manager:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:data_analytics_server:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:api_manager_analytics:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_analytics:5.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:micro_integrator:1.0.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-29548
74.99%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-29548
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
|
4.6
|
MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
2.1
|
2.5
|
MITRE | |
|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2022-29548
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-29548
-
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603
Security Advisory WSO2-2021-1603 - WSO2 Platform Security - WSO2 DocumentationVendor Advisory
-
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1603/
Security Advisory WSO2-2021-1603
-
http://packetstormsecurity.com/files/167587/WSO2-Management-Console-Cross-Site-Scripting.html
WSO2 Management Console Cross Site Scripting ≈ Packet StormExploit;Third Party Advisory;VDB Entry
Jump to