CVE-2024-10242

Vulnerability

Overview

The authentication endpoint in WSO2 API Manager versions 4.0.0 and 3.2.0 contains a reflected cross-site scripting (XSS) vulnerability, identified as CVE-2024-10242 [1]. The root cause is insufficient validation of user-supplied input before it is reflected back in HTTP responses. An attacker can inject arbitrary JavaScript payloads into request parameters that are subsequently executed by the victim's browser [1].

Exploitation

Prerequisites

Exploitation does not require authentication, as the vulnerable endpoint is publicly accessible. The attack vector is network-based, with low attack complexity, though user interaction is required (e.g., the victim must click a crafted link) [1]. An attacker can craft a URL containing the malicious payload and trick the user into visiting it, potentially via phishing or other social engineering techniques [1].

Impact

Successful exploitation allows an attacker to redirect the victim's browser to a malicious site, modify the web page's UI, or extract non-sensitive information stored in the browser [1]. However, session-related sensitive cookies are protected by the httpOnly flag, which mitigates the risk of session hijacking or similar attacks [1]. This limitation reduces the overall impact to a medium severity (CVSS 6.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) [1].

Mitigation

WSO2 has released fixes for the affected products. Users with a support subscription should apply the required update level: for API Manager 4.0.0, update level 318 or higher; for API Manager 3.2.0, update level 401 or higher [1]. Users without a subscription should migrate to the latest unaffected version [1]. No workarounds have been provided other than updating.