CVE-2022-29548 Overview
A reflected Cross-Site Scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products. This security flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, credential theft, or other client-side attacks. The vulnerability affects a wide range of WSO2 enterprise integration and identity management solutions, including API Manager, Enterprise Integrator, and Identity Server across multiple versions.
Critical Impact
This reflected XSS vulnerability enables attackers to execute arbitrary JavaScript code in victims' browsers, potentially compromising administrator sessions and gaining unauthorized access to WSO2 Management Console functions.
Affected Products
- WSO2 API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0
- WSO2 API Manager Analytics 2.2.0, 2.5.0, and 2.6.0
- WSO2 API Microgateway 2.2.0
- WSO2 Data Analytics Server 3.2.0
- WSO2 Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0
- WSO2 IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0
- WSO2 Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0
- WSO2 Identity Server Analytics 5.5.0 and 5.6.0
- WSO2 Micro Integrator 1.0.0
Discovery Timeline
- 2022-04-21 - CVE-2022-29548 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-29548
Vulnerability Analysis
This reflected XSS vulnerability (CWE-79) affects the Management Console component shared across WSO2's product suite. The vulnerability allows attackers to craft malicious URLs containing JavaScript payloads that execute when a victim clicks the link while authenticated to the Management Console. The attack requires user interaction but can be executed remotely over the network without authentication.
The vulnerability has an extremely high EPSS score of 76.361% (98.9th percentile), indicating a significantly elevated likelihood of exploitation in the wild compared to other vulnerabilities. This high exploitation probability combined with the availability of exploit code on ExploitDB makes this vulnerability a priority for remediation.
Root Cause
The root cause of this vulnerability is improper input validation and output encoding in the WSO2 Management Console. User-supplied input is reflected back to the browser without adequate sanitization, allowing attackers to inject JavaScript code that executes in the context of the authenticated user's session. The vulnerability exists because the application fails to properly escape or encode user input before including it in dynamically generated HTML content.
Attack Vector
The attack vector for CVE-2022-29548 is network-based, requiring user interaction to succeed. An attacker crafts a malicious URL containing a JavaScript payload and tricks an authenticated administrator into clicking the link. When the victim visits the crafted URL, the malicious script executes within their browser session, potentially allowing the attacker to:
- Steal session cookies and authentication tokens
- Perform actions on behalf of the victim within the Management Console
- Redirect users to phishing pages
- Capture keystrokes and form data
The reflected XSS vulnerability is exploited by embedding malicious JavaScript within URL parameters that are reflected back into the page without proper encoding. Attackers typically distribute these malicious links through phishing emails or by embedding them in other websites. For detailed technical information, refer to the Packet Storm Exploit Report.
Detection Methods for CVE-2022-29548
Indicators of Compromise
- Suspicious URL patterns in web server logs containing encoded JavaScript or HTML tags in query parameters
- Unexpected redirect attempts or external resource loading from the Management Console
- Unusual session activity following link clicks, particularly administrative actions not initiated by the user
- Client-side error logs showing script injection attempts or blocked inline script execution
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads in URL parameters
- Monitor HTTP access logs for requests containing script tags, event handlers, or JavaScript protocol handlers
- Deploy browser-based XSS detection using Content Security Policy (CSP) violation reporting
- Use SIEM correlation rules to identify patterns of XSS exploitation attempts across multiple users
Monitoring Recommendations
- Enable detailed logging on the WSO2 Management Console to capture all incoming requests and parameters
- Configure alerts for requests containing suspicious patterns such as <script>, javascript:, or encoded variants
- Monitor for unusual administrative activity that may indicate session compromise following XSS exploitation
- Review authentication logs for session anomalies that could indicate token theft
How to Mitigate CVE-2022-29548
Immediate Actions Required
- Apply the official security patches from WSO2 as documented in Security Advisory WSO2-2021-1603
- Implement Content Security Policy (CSP) headers to restrict inline script execution
- Review and restrict access to the Management Console to trusted networks only
- Educate administrators about phishing risks and the dangers of clicking untrusted links while authenticated
Patch Information
WSO2 has released security patches to address this vulnerability. Organizations should upgrade to the latest patched versions of their respective WSO2 products. Detailed patch information and upgrade instructions are available in the WSO2 Security Advisory Documentation. It is critical to test patches in a staging environment before deploying to production systems.
Workarounds
- Restrict Management Console access to internal networks or VPN-only connections to limit attack surface
- Implement network-level access controls to allow only authorized IP addresses to reach the Management Console
- Deploy a Web Application Firewall (WAF) with XSS protection rules in front of WSO2 products
- Enable HTTP-only and Secure flags on session cookies to mitigate the impact of potential session theft
# Example: Configure Apache reverse proxy with XSS protection headers
# Add to virtual host configuration for WSO2 Management Console
<VirtualHost *:443>
ServerName wso2.example.com
# Security headers to mitigate XSS
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
Header always set X-Frame-Options "SAMEORIGIN"
# Restrict access to trusted networks
<Location /carbon>
Require ip 10.0.0.0/8 192.168.0.0/16
</Location>
ProxyPass / https://localhost:9443/
ProxyPassReverse / https://localhost:9443/
</VirtualHost>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
