CVE-2022-29548: 
WSO2 API Manager vulnerability analysis and mitigation

A reflected Cross-Site Scripting (XSS) vulnerability (CVE-2022-29548) was discovered in the Management Console of several WSO2 products. The vulnerability was disclosed on April 1, 2022, affecting multiple versions of WSO2 products including API Manager (versions 2.2.0 through 4.0.0), API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrator, IS as Key Manager, Identity Server, Identity Server Analytics, and WSO2 Micro Integrator (WSO2 Advisory).

The vulnerability stems from improper output encoding in the Management Console, which allows for a Reflected Cross-Site Scripting attack through parameter tampering. The severity is rated as Medium with a CVSS v3.1 score of 4.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) (WSO2 Advisory).

The exploitation of this vulnerability could allow malicious actors to redirect browsers to malicious websites, modify web page UI elements, and retrieve information from the browser. However, session hijacking attacks are prevented as all session-related sensitive cookies are protected with the httpOnly flag (WSO2 Advisory).

WSO2 has released patches for affected products. Community users can apply fixes based on the public fix available at https://github.com/wso2/carbon-kernel/pull/3145. WSO2 subscription holders should update their products to the specified update levels detailed in the security advisory. For instance, API Manager 4.0.0 should be updated to level 45 or higher (WSO2 Advisory).