CVE-2020-17453: 
WSO2 API Manager vulnerability analysis and mitigation

WSO2 Management Console through version 5.10 contains a Cross-Site Scripting (XSS) vulnerability that affects the carbon/admin/login.jsp msgId parameter. The vulnerability was discovered by Jackson Henry and was assigned CVE-2020-17453. The issue affects multiple WSO2 products including API Manager, Enterprise Integrator, Identity Server, and related components (WSO2 Advisory).

The vulnerability is a reflected XSS that can be exploited by manipulating a request parameter in the Management Console. It has a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability can be exploited through both authenticated and unauthenticated requests (NVD, WSO2 Advisory).

When exploited, this XSS vulnerability could allow attackers to redirect browsers to malicious websites, modify web page UI elements, or extract information from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking attacks are not possible (WSO2 Advisory).

WSO2 has released fixes for affected products through various update levels. Community users can apply fixes based on the public fix available at https://github.com/wso2/carbon-kernel/pull/2796. WSO2 subscription holders should update their products to the specified update level or higher as detailed in the security advisory (WSO2 Advisory).