CVE-2016-4316: WSO2 Carbon vulnerable to Cross-site Scripting

May 14, 2022 (updated April 22, 2025)

Multiple cross-site scripting (XSS) vulnerabilities in WSO2 Carbon 4.4.5 allow remote attackers to inject arbitrary web script or HTML via the (1) setName parameter to identity-mgt/challenges-mgt.jsp; the (2) webappType or (3) httpPort parameter to webapp-list/webapp_info.jsp; the (4) dsName or (5) description parameter to ndatasource/newdatasource.jsp; the (6) phase parameter to viewflows/handlers.jsp; or the (7) url parameter to ndatasource/validateconnection-ajaxprocessor.jsp.

References

github.com/advisories/GHSA-2vcm-2mcr-wmx7
nvd.nist.gov/vuln/detail/CVE-2016-4316
web.archive.org/web/20201207111805/http://www.securityfocus.com/archive/1/539201/100/0/threaded
www.exploit-db.com/exploits/40241

Code Behaviors & Features

Detect and mitigate CVE-2016-4316 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →