{"id":"CVE-2020-24706","details":"An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.","modified":"2026-07-08T05:55:55.679145040Z","published":"2020-08-27T16:15:11.877Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"5.10.0"}],"source":"CPE_RANGE","vendor_product":"wso2:identity_server","cpes":["cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*"]},{"extracted_events":[{"last_affected":"5.6.0"}],"source":"CPE_RANGE","vendor_product":"wso2:identity_server_analytics","cpes":["cpe:2.3:a:wso2:identity_server_analytics:*:*:*:*:*:*:*:*"]},{"cpes":["cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"5.10.0"}],"source":"CPE_RANGE","vendor_product":"wso2:identity_server_as_key_manager"},{"source":"CPE_STRING","vendor_product":"wso2:iot_server","cpes":["cpe:2.3:a:wso2:iot_server:3.1.0:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"3.1.0"},{"last_affected":"3.1.0"}]}]},"references":[{"type":"ADVISORY","url":"https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0718"},{"type":"ADVISORY","url":"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wso2/analytics-apim","events":[{"introduced":"78105a9da92efdcfceaca4c011a7960ebd3df0e3"},{"last_affected":"78105a9da92efdcfceaca4c011a7960ebd3df0e3"}],"database_specific":{"extracted_events":[{"introduced":"2.5.0"},{"last_affected":"2.5.0"}],"source":"CPE_STRING","cpe":"cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*"}}],"versions":["2.5.0","v2.5.0-rc1","v2.5.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-24706.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/wso2/product-apim","events":[{"introduced":"0"},{"last_affected":"2971de274564b622974de831403e9688a4a76c14"}],"database_specific":{"cpe":"cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"3.1.0"}],"source":"CPE_RANGE"}}],"versions":["v3.1.0-rc3","v3.1.0","v3.0.0-rc3","v3.0.0","v3.1.0-rc2","v3.1.0-rc1","v3.1.0-beta","v3.1.0-alpha","v3.1.0-m5","v3.1.0-m4","v3.1.0-m3","v3.1.0-m2","v3.1.0-m1","v3.0.0-rc2","v3.0.0-rc1","v3.0.0-beta","v3.0.0-alpha2","v3.0.0-alpha","v3.0.0-m35","v3.0.0-m34","v3.0.0-m33","v3.0.0-m32","v2.6.0-rc3","v2.6.0","v2.6.0-rc2","v2.6.0-rc1","v2.6.0-beta2","v2.6.0-beta","v2.6.0-alpha2","v2.6.0-alpha","v2.6.0-m2","v2.6.0-m1","v2.5.0-rc4","v2.5.0","v2.5.0-rc3","v2.5.0-rc2","v2.5.0-rc1","v2.5.0-Beta","v2.5.0-Alpha","v2.2.0-update7","v2.2.0-update6","v2.2.0-update5","v2.2.0-update4","v2.2.0-update3","v2.2.0-update2","v2.2.0-update1","v2.2.0","v2.1.0-update14","v2.1.0-update13","v2.1.0-update12","v2.1.0-update11","v2.1.0-update10","v2.1.0-update9","v2.1.0-update8","v2.1.0-update7","v2.1.0-update5","v2.1.0-update3","v2.1.0-update2","v2.1.0-update1","v2.1.0-alpha","v2.0.0-ALPHA","v2.0.0-M4","v1.9.0","v1.9.0-Beta-3","v1.9.0-Beta-2","v1.9.0-Beta","v1.9.0-Alpha","test-tag-1.9.0-Alpha","v1.9.0-M2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-24706.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}