CVE-2020-17453

MEDIUM EXPLOITED NUCLEI

WSO2 Management Console <5.10 - XSS

Title source: llm

Description

WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.

Exploits (4)

nomisec SCANNER 5 stars

by karthi-the-hacker · remote

https://github.com/karthi-the-hacker/CVE-2020-17453

View Code ZIP pw:eip

github WRITEUP 2 stars

by Pr0t0c01 · pythonpoc

https://github.com/Pr0t0c01/CVEs/tree/main/WSO2Carbon_CVE-2020-17453

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by ydycjz6j · client-side

https://github.com/ydycjz6j/CVE-2020-17453-PoC

View Code ZIP pw:eip

inthewild WORKING POC

poc

https://github.com/jhhax/cve-2020-17453-poc

View Code ZIP pw:eip

Nuclei Templates (1)

WSO2 Carbon Management Console <=5.10 - Cross-Site Scripting

MEDIUMby madrobot

Shodan: http.favicon.hash:1398055326

FOFA: icon_hash=1398055326

References (3)

[Various Sources] https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1132/

[Exploit, Third Party Advisory] https://github.com/JHHAX/CVE-2020-17453-PoC

[Exploit, Third Party Advisory] https://twitter.com/JacksonHHax/status/1374681422678519813

Scores

CVSS v3 6.1

EPSS 0.6717

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

VulnCheck KEV 2023-11-13

CWE

CWE-79

Status published

Products (17)

wso2/api_manager < 3.2.0

wso2/api_manager_analytics 2.2.0

wso2/api_manager_analytics 2.5.0

wso2/api_manager_analytics 2.6.0

wso2/api_microgateway 2.2.0

wso2/enterprise_integrator < 6.6.0

wso2/identity_server < 5.10.0

wso2/identity_server_analytics 5.4.0

wso2/identity_server_analytics 5.4.1

wso2/identity_server_analytics 5.5.0

... and 7 more

Published Apr 05, 2021

Tracked Since Feb 18, 2026