MidnightBSD

Advisories for wso2

CVE-2016-4311 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 allows remote attackers to hijack the authentication of privileged users for requests that process XACML requests via an entitlement/eval-policy-submit.jsp request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
wso2 identity_server 5.1.0
CVE-2016-4312 MEDIUM

XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
wso2 identity_server 5.1.0
CVE-2016-4314 MEDIUM

Directory traversal vulnerability in the LogViewer Admin Service in WSO2 Carbon 4.4.5 allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the logFile parameter to downloadgz-ajaxprocessor.jsp.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
wso2 carbon 4.4.5
CVE-2016-4315 LOW

Cross-site request forgery (CSRF) vulnerability in WSO2 Carbon 4.4.5 allows remote attackers to hijack the authentication of privileged users for requests that shutdown a server via a shutdown action to server-admin/proxy_ajaxprocessor.jsp.

CVSS 2.0

Severity: LOW

Problem Type: CWE-352,

Products Affected

Vendor Product Version
wso2 carbon 4.4.5
CVE-2016-4316 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in WSO2 Carbon 4.4.5 allow remote attackers to inject arbitrary web script or HTML via the (1) setName parameter to identity-mgt/challenges-mgt.jsp; the (2) webappType or (3) httpPort parameter to webapp-list/webapp_info.jsp; the (4) dsName or (5) description parameter to ndatasource/newdatasource.jsp; the (6) phase parameter to viewflows/handlers.jsp; or the (7) url parameter to ndatasource/validateconnection-ajaxprocessor.jsp.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 carbon 4.4.5
CVE-2016-4327 MEDIUM

Cross-site scripting (XSS) vulnerability in WSO2 SOA Enablement Server for Java/6.6 build SSJ-6.6-20090827-1616 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 enablement_server_for_java *
CVE-2017-14651 LOW

WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 business_rules_server 2.2.0
wso2 application_server 5.3.0
wso2 app_manager 1.2.0
wso2 storage_server 1.5.0
wso2 business_process_server 3.6.0
wso2 data_analytics_server 3.1.0
wso2 enterprise_integrator 6.1.1
wso2 governance_registry 5.4.0
wso2 data_services_server 3.5.1
wso2 dashboard_server 2.0.0
wso2 iot_server 3.0.0
wso2 machine_learner 1.2.0
wso2 identity_server 5.3.0
wso2 api_manager 2.1.0
wso2 message_broker 3.2.0
wso2 complex_event_processor 4.2.0
wso2 enterprise_mobility_manager 2.2.0
CVE-2017-14995 MEDIUM

The Management Console in WSO2 Application Server 5.3.0, WSO2 Business Process Server 3.6.0, WSO2 Business Rules Server 2.2.0, WSO2 Complex Event Processor 4.2.0, WSO2 Dashboard Server 2.0.0, WSO2 Data Analytics Server 3.1.0, WSO2 Data Services Server 3.5.1, and WSO2 Machine Learner 1.2.0 is affected by stored XSS.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 business_rules_server 2.2.0
wso2 application_server 5.3.0
wso2 business_process_server 3.6.0
wso2 data_analytics_server 3.1.0
wso2 data_services_server 3.5.1
wso2 dashboard_server 2.0.0
wso2 complex_event_processor 4.2.0
wso2 machine_learner 1.2.0
CVE-2018-20736 LOW

An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. A DOM-based XSS exists in the store part of the product.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 api_manager 2.6.0
CVE-2018-20737 LOW

An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part of the product.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 identity_server_as_key_manager 5.7.0
wso2 api_manager 2.6.0
wso2 identity_server 5.7.0
CVE-2018-8716 LOW

WSO2 Identity Server before 5.5.0 has XSS via the dashboard, allowing attacks by low-privileged attackers.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 identity_server *
CVE-2019-10797 MEDIUM

Netty in WSO2 transport-http before v6.3.1 is vulnerable to HTTP Response Splitting due to HTTP Header validation being disabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
wso2 transport-http *
CVE-2019-15108 LOW

An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS via a crafted filename to the file-upload feature of the event simulator component.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 api_manager *
CVE-2019-18881 MEDIUM

WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 identity_server 5.7.0
CVE-2019-18882 MEDIUM

WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 identity_server 5.7.0
CVE-2019-19587 MEDIUM

In WSO2 Enterprise Integrator 6.5.0, reflected XSS occurs when updating the message processor configuration from the source view in the Management Console.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 enterprise_integrator 6.5.0
CVE-2019-20434 LOW

An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Datasource creation page of the Management Console.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 api_manager 2.6.0
CVE-2019-20435 LOW

An issue was discovered in WSO2 API Manager 2.6.0. A reflected XSS attack could be performed in the inline API documentation editor page of the API Publisher by sending an HTTP GET request with a harmful docName request parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 api_manager 2.6.0
CVE-2019-20436 MEDIUM

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect's URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console, and to add and configure claim dialects.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 identity_server 5.8.0
wso2 api_manager 2.6.0
wso2 identity_server 5.7.0
CVE-2019-20437 MEDIUM

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. When a custom claim dialect with an XSS payload is configured in the identity provider basic claim configuration, that payload gets executed, if a user picks up that dialect's URI as the provisioning claim in the advanced claim configuration of the same Identity Provider. The attacker also needs to have privileges to log in to the management console, and to add and update identity provider configurations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 identity_server 5.8.0
wso2 api_manager 2.6.0
wso2 identity_server 5.7.0
CVE-2019-20438 LOW

An issue was discovered in WSO2 API Manager 2.6.0. A potential stored Cross-Site Scripting (XSS) vulnerability has been identified in the inline API documentation editor page of the API Publisher.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 api_manager 2.6.0
CVE-2019-20439 LOW

An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in defining a scope in the "manage the API" page of the API Publisher.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 api_manager 2.6.0
CVE-2019-20440 LOW

An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the update API documentation feature of the API Publisher.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 api_manager 2.6.0
CVE-2019-20441 LOW

An issue was discovered in WSO2 API Manager 2.6.0. A potential Stored Cross-Site Scripting (XSS) vulnerability has been identified in the 'implement phase' of the API Publisher.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 api_manager 2.6.0
CVE-2019-20442 LOW

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in roleToAuthorize has been identified in the registry UI.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 identity_server 5.8.0
wso2 enterprise_integrator 6.5.0
wso2 api_manager 2.6.0
wso2 identity_server 5.7.0
CVE-2019-20443 LOW

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in mediaType has been identified in the registry UI.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 identity_server 5.8.0
wso2 enterprise_integrator 6.5.0
wso2 api_manager 2.6.0
wso2 identity_server 5.7.0
CVE-2019-6512 MEDIUM

An issue was discovered in WSO2 API Manager 2.6.0. It is possible to force the application to perform requests to the internal workstation (SSRF port-scanning), other adjacent workstations (SSRF network scanning), or to enumerate files because of the existence of the file:// wrapper.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
wso2 api_manager 2.6.0
CVE-2019-6513 MEDIUM

An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
wso2 api_manager 2.6.0
CVE-2019-6514 LOW

An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible to inject a JavaScript payload that will be stored in the database and then displayed and executed on the same page, aka XSS.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 dashboard_server 2.0.0
CVE-2019-6515 MEDIUM

An issue was discovered in WSO2 API Manager 2.6.0. Uploaded documents for API documentation are available to an unauthenticated user.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
wso2 api_manager 2.6.0
CVE-2019-6516 MEDIUM

An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible to force the application to perform requests to the internal workstation (port-scanning) and to perform requests to adjacent workstations (network-scanning), aka SSRF.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
wso2 dashboard_server 2.0.0
CVE-2020-11885 MEDIUM

WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,CWE-918,

Products Affected

Vendor Product Version
wso2 enterprise_integrator *
CVE-2020-12719 MEDIUM

XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
wso2 api_microgateway 2.2.0
wso2 enterprise_integrator *
wso2 identity_server_analytics *
wso2 api_manager_analytics *
wso2 identity_server *
wso2 identity_server_as_key_manager *
wso2 api_manager *
CVE-2020-13226 HIGH

WSO2 API Manager 3.0.0 does not properly restrict outbound network access from a Publisher node, opening up the possibility of SSRF to this node's entire intranet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-918,

Products Affected

Vendor Product Version
wso2 api_manager 3.0.0
CVE-2020-13883 MEDIUM

In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H 1.2 5.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
wso2 api_microgateway 2.2.0
wso2 identity_server_as_key_manager *
wso2 api_manager *
CVE-2020-14444 LOW

An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console Policy Administration user interface.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 identity_server *
wso2 identity_server_as_key_manager *
CVE-2020-14445 LOW

An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console Basic Policy Editor user Interface.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 identity_server *
wso2 identity_server_as_key_manager *
CVE-2020-14446 MEDIUM

An issue was discovered in WSO2 Identity Server through 5.10.0 and WSO2 IS as Key Manager through 5.10.0. An open redirect exists.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
wso2 identity_server *
wso2 identity_server_as_key_manager *
CVE-2020-17453 MEDIUM

WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 api_microgateway 2.2.0
wso2 identity_server_as_key_manager 5.5.0
wso2 identity_server_analytics 5.4.1
wso2 identity_server_as_key_manager 5.7.0
wso2 api_manager *
wso2 api_manager_analytics 2.5.0
wso2 identity_server_as_key_manager 5.9.0
wso2 micro_integrator 1.0.0
wso2 identity_server_analytics 5.4.0
wso2 api_manager_analytics 2.6.0
wso2 identity_server_analytics 5.5.0
wso2 identity_server_analytics 5.6.0
wso2 enterprise_integrator *
wso2 identity_server_as_key_manager 5.6.0
wso2 identity_server *
wso2 identity_server_as_key_manager 5.10.0
wso2 api_manager_analytics 2.2.0
CVE-2020-17454 MEDIUM

WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal box appears that writes an error message concatenated to the injected payload (without any form of data encoding). This can also be exploited via CSRF.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 api_manager *
CVE-2020-24589 MEDIUM

The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2
cve@mitre.org 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
wso2 api_microgateway 2.2.0
wso2 api_manager *
CVE-2020-24590 MEDIUM

The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML Entity Expansion attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-776,

Products Affected

Vendor Product Version
wso2 api_microgateway 2.2.0
wso2 api_manager *
CVE-2020-24591 MEDIUM

The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H 1.2 5.2
cve@mitre.org 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H 1.2 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
wso2 api_manager_analytics 2.5.0
wso2 api_microgateway 2.2.0
wso2 enterprise_integrator 6.3.0
wso2 identity_server_analytics *
wso2 api_manager_analytics 2.2.0
wso2 enterprise_integrator 6.2.0
wso2 api_manager *
CVE-2020-24703 MEDIUM

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
cve@mitre.org 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
wso2 identity_server 5.8.0
wso2 api_microgateway 2.2.0
wso2 iot_server 3.3.0
wso2 identity_server_as_key_manager 5.5.0
wso2 identity_server 5.5.0
wso2 api_manager 2.2.0
wso2 identity_server_analytics 5.5.0
wso2 enterprise_integrator *
wso2 iot_server 3.3.1
wso2 data_analytics_server 3.2.0
wso2 api_manager_analytics 2.2.0
CVE-2020-24704 MEDIUM

An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
cve@mitre.org 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 identity_server 5.8.0
wso2 api_microgateway 2.2.0
wso2 iot_server 3.3.0
wso2 identity_server_as_key_manager 5.5.0
wso2 identity_server 5.5.0
wso2 api_manager 2.2.0
wso2 identity_server_analytics 5.5.0
wso2 enterprise_integrator *
wso2 iot_server 3.3.1
wso2 data_analytics_server 3.2.0
wso2 api_manager_analytics 2.2.0
CVE-2020-24705 MEDIUM

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
wso2 api_manager_analytics 2.5.0
wso2 identity_server_analytics *
wso2 iot_server 3.1.0
wso2 identity_server *
wso2 identity_server_as_key_manager *
wso2 api_manager *
CVE-2020-24706 MEDIUM

An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
cve@mitre.org 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 api_manager_analytics 2.5.0
wso2 identity_server_analytics *
wso2 iot_server 3.1.0
wso2 identity_server *
wso2 identity_server_as_key_manager *
wso2 api_manager *
CVE-2020-25516 LOW

WSO2 Enterprise Integrator 6.6.0 or earlier contains a stored cross-site scripting (XSS) vulnerability in BPMN explorer tasks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 enterprise_integrator *
CVE-2020-27885 MEDIUM

Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s password and invalidate the session of the victim while the hacker maintains access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 api_manager 3.1.0
CVE-2021-36760 MEDIUM

In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 identity_server 5.8.0
wso2 identity_server_as_key_manager 5.5.0
wso2 api_manager 3.0.0
wso2 identity_server_as_key_manager 5.7.0
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
wso2 identity_server 5.7.0
wso2 identity_server_as_key_manager 5.3.0
wso2 identity_server_as_key_manager 5.9.0
wso2 identity_server 5.9.0
wso2 identity_server 5.11.0
wso2 iot_server 3.3.1
wso2 identity_server 5.10.0
wso2 identity_server_as_key_manager 5.6.0
wso2 api_manager 3.1.0
wso2 identity_server_as_key_manager 5.10.0
CVE-2021-42646 MEDIUM

XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
wso2 identity_server 5.8.0
wso2 api_manager 3.0.0
wso2 identity_server_as_key_manager 5.7.0
wso2 api_manager 2.6.0
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
wso2 identity_server 5.7.0
wso2 identity_server_as_key_manager 5.9.0
wso2 identity_server 5.9.0
wso2 identity_server 5.11.0
wso2 identity_server 5.10.0
wso2 api_manager 3.1.0
wso2 identity_server_as_key_manager 5.10.0
CVE-2022-29464 HIGH

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
cve@mitre.org 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,CWE-22,

Products Affected

Vendor Product Version
wso2 open_banking_iam 2.0.0
wso2 identity_server_analytics 5.4.0
wso2 identity_server_analytics 5.5.0
wso2 identity_server_analytics 5.4.1
wso2 identity_server_analytics 5.6.0
wso2 enterprise_integrator *
wso2 open_banking_km *
wso2 identity_server *
wso2 identity_server_as_key_manager *
wso2 api_manager *
wso2 open_banking_am *
CVE-2022-29548 MEDIUM

A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wso2 api_microgateway 2.2.0
wso2 identity_server_as_key_manager 5.5.0
wso2 api_manager 3.0.0
wso2 api_manager 2.6.0
wso2 api_manager 3.2.0
wso2 enterprise_integrator 6.2.0
wso2 identity_server 5.5.0
wso2 api_manager_analytics 2.6.0
wso2 identity_server 5.6.0
wso2 identity_server 5.11.0
wso2 data_analytics_server 3.2.0
wso2 enterprise_integrator 6.5.0
wso2 identity_server_as_key_manager 5.6.0
wso2 api_manager 3.1.0
wso2 api_manager_analytics 2.2.0
wso2 enterprise_integrator 6.6.0
wso2 api_manager 2.2.0
wso2 enterprise_integrator 6.3.0
wso2 identity_server_as_key_manager 5.7.0
wso2 enterprise_integrator 6.4.0
wso2 api_manager 4.0.0
wso2 identity_server 5.7.0
wso2 api_manager 2.5.0
wso2 api_manager_analytics 2.5.0
wso2 identity_server_as_key_manager 5.9.0
wso2 micro_integrator 1.0.0
wso2 identity_server_analytics 5.5.0
wso2 identity_server 5.9.0
wso2 identity_server_analytics 5.6.0
wso2 identity_server 5.10.0
wso2 identity_server_as_key_manager 5.10.0
CVE-2022-39809

An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/mediation_secure_vault/properties/ajaxprocessor.jsp via the name parameter. Session hijacking or similar attacks would not be possible.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
wso2 enterprise_integrator 6.4.0
CVE-2022-39810

An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/ndatasource/validateconnection/ajaxprocessor.jsp via the driver parameter. Session hijacking or similar attacks would not be possible.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
wso2 enterprise_integrator 6.4.0
CVE-2022-4520

A vulnerability was found in WSO2 carbon-registry up to 4.8.11. It has been rated as problematic. Affected by this issue is some unknown functionality of the file components/registry/org.wso2.carbon.registry.search.ui/src/main/resources/web/search/advancedSearchForm-ajaxprocessor.jsp of the component Advanced Search. The manipulation of the argument mediaType/rightOp/leftOp/rightPropertyValue/leftPropertyValue leads to cross site scripting. The attack may be launched remotely. Upgrading to version 4.8.12 is able to address this issue. The name of the patch is 0c827cc1b14b82d8eb86117ab2e43c34bb91ddb4. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215900.

Products Affected

Vendor Product Version
wso2 carbon-registry *
CVE-2022-4521

A vulnerability classified as problematic has been found in WSO2 carbon-registry up to 4.8.6. This affects an unknown part of the component Request Parameter Handler. The manipulation of the argument parentPath/path/username/path/profile_menu leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 4.8.7 is able to address this issue. The name of the patch is 9f967abfde9317bee2cda469dbc09b57d539f2cc. It is recommended to upgrade the affected component. The identifier VDB-215901 was assigned to this vulnerability.

Products Affected

Vendor Product Version
wso2 carbon-registry *
CVE-2023-31664

A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter.

Products Affected

Vendor Product Version
wso2 api_manager *
CVE-2023-6835

Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
wso2 api_manager 2.2.0
wso2 iot_server 3.3.1
wso2 api_manager 2.6.0
wso2 api_manager 2.5.0
CVE-2023-6836

Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 2.1 2.5
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
wso2 api_microgateway 2.2.0
wso2 identity_server_as_key_manager 5.0.0
wso2 identity_server_as_key_manager 5.7.0
wso2 api_manager *
wso2 api_manager_analytics 2.5.0
wso2 identity_server_as_key_manager 5.9.0
wso2 identity_server 5.5.0
wso2 micro_integrator 1.0.0
wso2 identity_server 5.4.1
wso2 identity_server 5.6.0
wso2 enterprise_integrator *
wso2 identity_server_as_key_manager 5.6.0
wso2 api_manager_analytics 2.2.0
wso2 identity_server 5.4.0
CVE-2023-6837

Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met: * An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option. * A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled. Attacker should have: * A fresh valid user account in the federated IDP that has not been used earlier. * Knowledge of the username of a valid user in the local IDP. When all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 8.5 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N 3.1 4.7
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N 1.8 5.8

Products Affected

Vendor Product Version
wso2 identity_server 5.8.0
wso2 api_manager 3.0.0
wso2 identity_server_as_key_manager 5.7.0
wso2 api_manager 2.6.0
wso2 identity_server_as_key_manager *
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
wso2 identity_server 5.7.0
wso2 api_manager 2.5.0
wso2 api_manager *
wso2 identity_server_as_key_manager 5.9.0
wso2 carbon_identity_application_authentication_endpoint *
wso2 identity_server 5.6.0
wso2 identity_server 5.9.0
wso2 identity_server 5.11.0
wso2 identity_server 5.10.0
wso2 identity_server_as_key_manager 5.6.0
wso2 api_manager 3.1.0
wso2 identity_server *
wso2 identity_server_as_key_manager 5.10.0
wso2 carbon_identity_application_authentication_framework *
CVE-2023-6838

Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
ed10eef1-636d-4fbe-9993-6890dfa878f8 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
wso2 identity_server 5.10.0
wso2 api_manager 3.1.0
wso2 identity_server_as_key_manager 5.10.0
wso2 api_manager 3.2.0
CVE-2023-6839

Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
ed10eef1-636d-4fbe-9993-6890dfa878f8 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
wso2 api_manager 3.0.0
wso2 api_manager 3.1.0
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
CVE-2023-6911

Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
wso2 api_microgateway 2.2.0
wso2 identity_server_as_key_manager 5.5.0
wso2 enterprise_integrator 6.1.1
wso2 identity_server_analytics 5.4.1
wso2 api_manager 3.0.0
wso2 api_manager 2.6.0
wso2 api_manager 3.2.0
wso2 enterprise_integrator 6.2.0
wso2 enterprise_integrator 6.1.0
wso2 identity_server 5.5.0
wso2 identity_server_analytics 5.4.0
wso2 identity_server 5.6.0
wso2 data_analytics_server 3.2.0
wso2 enterprise_integrator 6.5.0
wso2 identity_server_as_key_manager 5.6.0
wso2 api_manager 3.1.0
wso2 message_broker 3.2.0
wso2 api_manager_analytics 2.2.0
wso2 enterprise_integrator 6.6.0
wso2 identity_server 5.8.0
wso2 api_manager 2.2.0
wso2 enterprise_integrator 6.3.0
wso2 identity_server_as_key_manager 5.7.0
wso2 enterprise_integrator 6.4.0
wso2 identity_server 5.7.0
wso2 api_manager 2.5.0
wso2 api_manager_analytics 2.5.0
wso2 identity_server_as_key_manager 5.9.0
wso2 identity_server 5.4.1
wso2 identity_server_analytics 5.5.0
wso2 identity_server 5.9.0
wso2 identity_server_analytics 5.6.0
wso2 identity_server 5.10.0
wso2 identity_server_as_key_manager 5.10.0
wso2 identity_server 5.4.0
CVE-2024-0392

A Cross-Site Request Forgery (CSRF) vulnerability exists in the management console of WSO2 Enterprise Integrator 6.6.0 due to the absence of CSRF token validation. This flaw allows attackers to craft malicious requests that can trigger state-changing operations on behalf of an authenticated user, potentially compromising account settings and data integrity. The vulnerability only affects a limited set of state-changing operations, and successful exploitation requires social engineering to trick a user with access to the management console into performing the malicious action.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L 2.8 2.5

Products Affected

Vendor Product Version
wso2 enterprise_integrator 6.6.0
CVE-2024-1440

An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site. By exploiting this vulnerability, an attacker may trick users into visiting a malicious page, enabling phishing attacks to harvest sensitive information or perform other harmful actions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
wso2 identity_server 6.0.0
wso2 identity_server 5.11.0
wso2 identity_server 6.1.0
wso2 identity_server 5.10.0
wso2 identity_server 7.0.0
wso2 api_manager 3.1.0
wso2 identity_server_as_key_manager 5.10.0
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
CVE-2024-1524

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted local user account with a federated IDP user account that they control. The Deployment should have: -An IDP configured for federated authentication with Silent JIT provisioning enabled. The malicious actor should have: -A fresh valid user account in the federated IDP that has not been used earlier. -Knowledge of the username of a valid user in the local IDP. -An account at the federated IDP matching the targeted local username.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 7.7 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L 2.2 5.5

Products Affected

Vendor Product Version
wso2 identity_server *
wso2 api_manager *
CVE-2024-2321

An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the expected access token. Due to improper authorization checks and token mapping, session cookies are not required for API access, potentially enabling unauthorized operations. Exploitation requires an attacker to obtain a valid refresh token of an admin user. Since refresh tokens generally have a longer expiration time, this could lead to prolonged unauthorized access to API resources, impacting data confidentiality and integrity.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 5.6 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L 2.2 3.4

Products Affected

Vendor Product Version
wso2 api_manager 4.2.0
wso2 identity_server 6.0.0
wso2 identity_server 5.11.0
wso2 identity_server 6.1.0
wso2 api_manager 4.1.0
wso2 api_manager 4.0.0
CVE-2024-3509

A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient input validation in the Rich Text Editor within the registry section. To exploit this vulnerability, a malicious actor must have a valid user account with administrative access to the Management Console. If successful, the actor could inject persistent JavaScript payloads, enabling the theft of user data or execution of unauthorized actions on behalf of other users. While this issue enables persistent client-side script execution, session-related cookies remain protected with the httpOnly flag, preventing session hijacking.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.2 2.7

Products Affected

Vendor Product Version
wso2 api_manager 4.2.0
wso2 api_manager 4.3.0
wso2 identity_server 7.0.0
wso2 api_manager 4.1.0
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
wso2 identity_server 6.0.0
wso2 identity_server 5.11.0
wso2 identity_server 6.1.0
wso2 api_manager 3.2.1
wso2 identity_server 5.10.0
wso2 identity_server_as_key_manager 5.10.0
wso2 enterprise_integrator 6.6.0
CVE-2024-3511

An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization. Successful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
wso2 api_manager 4.2.0
wso2 api_manager 4.3.0
wso2 identity_server 7.0.0
wso2 api_manager 4.1.0
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
wso2 open_banking_iam 2.0.0
wso2 identity_server 6.0.0
wso2 identity_server 5.11.0
wso2 identity_server 6.1.0
wso2 api_manager 3.2.1
wso2 identity_server 5.10.0
wso2 open_banking_am 2.0.0
wso2 identity_server_as_key_manager 5.10.0
wso2 enterprise_integrator 6.6.0
CVE-2024-4598

An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from other mediation contexts because the internal state is not properly isolated or cleared between executions. This vulnerability does not impact user credentials or access tokens but may lead to leakage of sensitive business information handled during message flows.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
wso2 micro_integrator 4.1.0
wso2 micro_integrator *
wso2 micro_integrator 1.2.0
wso2 api_manager 3.2.1
wso2 api_manager 4.3.0
wso2 api_manager 4.1.0
wso2 api_manager 3.2.0
wso2 api_manager *
CVE-2024-5848

A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper input validation. User-supplied data is directly included in server responses from vulnerable service endpoints without proper sanitization or encoding, allowing an attacker to inject malicious JavaScript. Successful exploitation could lead to UI manipulation, redirection to malicious websites, or data exfiltration from the browser. While session-related sensitive cookies are protected with the httpOnly flag, mitigating session hijacking risks, the impact may vary depending on gateway-level service restrictions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
wso2 api_manager 4.2.0
wso2 api_manager 3.2.1
wso2 api_manager 4.3.0
wso2 api_manager 3.1.0
wso2 api_manager 4.1.0
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
CVE-2024-5962

A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoint of multiple WSO2 products due to missing output encoding of user-supplied input. A malicious actor can exploit this vulnerability to inject arbitrary JavaScript into the authentication flow, potentially leading to UI modifications, redirections to malicious websites, or data exfiltration from the browser. While this issue could allow an attacker to manipulate the user’s browser, session-related sensitive cookies remain protected with the httpOnly flag, preventing session hijacking.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
wso2 api_manager 4.2.0
wso2 identity_server 6.0.0
wso2 identity_server 6.1.0
wso2 api_manager 4.3.0
CVE-2024-6429

A content spoofing vulnerability exists in multiple WSO2 products due to improper error message handling. Under certain conditions, error messages are passed through URL parameters without validation, allowing malicious actors to inject arbitrary content into the UI. By exploiting this vulnerability, attackers can manipulate browser-displayed error messages, enabling social engineering attacks through deceptive or misleading content.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
wso2 api_manager 4.2.0
wso2 api_manager 4.3.0
wso2 identity_server 7.0.0
wso2 api_manager 4.1.0
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
wso2 identity_server 6.0.0
wso2 identity_server 5.11.0
wso2 identity_server 6.1.0
wso2 api_manager 3.2.1
wso2 api_manager 4.4.0
wso2 identity_server 5.10.0
CVE-2024-6914

An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account takeover, including accounts with elevated privileges. This vulnerability is exploitable only through the account recovery SOAP admin services exposed via the "/services" context path in affected products. The impact may be reduced if access to these endpoints has been restricted based on the "Security Guidelines for Production Deployment" by disabling exposure to untrusted networks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
wso2 identity_server_as_key_manager 5.5.0
wso2 api_manager 3.0.0
wso2 api_manager 4.3.0
wso2 open_banking_am 1.3.0
wso2 api_manager 4.1.0
wso2 api_manager 2.6.0
wso2 api_manager 3.2.0
wso2 open_banking_km 1.4.0
wso2 identity_server_as_key_manager 5.3.0
wso2 open_banking_km 1.5.0
wso2 open_banking_am 1.5.0
wso2 identity_server 5.5.0
wso2 open_banking_iam 2.0.0
wso2 open_banking_am 1.4.0
wso2 identity_server 5.6.0
wso2 identity_server 5.11.0
wso2 api_manager 3.2.1
wso2 identity_server_as_key_manager 5.6.0
wso2 open_banking_am 2.0.0
wso2 api_manager 3.1.0
wso2 identity_server 5.8.0
wso2 api_manager 2.2.0
wso2 api_manager 4.2.0
wso2 identity_server 7.0.0
wso2 identity_server_as_key_manager 5.7.0
wso2 api_manager 4.0.0
wso2 identity_server 5.7.0
wso2 open_banking_km 1.3.0
wso2 api_manager 2.5.0
wso2 identity_server_as_key_manager 5.9.0
wso2 identity_server 5.3.0
wso2 identity_server 5.4.1
wso2 identity_server 6.0.0
wso2 identity_server 5.9.0
wso2 identity_server 6.1.0
wso2 identity_server 5.10.0
wso2 identity_server_as_key_manager 5.10.0
wso2 identity_server 5.4.0
CVE-2024-7073

A server-side request forgery (SSRF) vulnerability exists in multiple WSO2 products due to improper input validation in SOAP admin services. This flaw allows unauthenticated attackers to manipulate server-side requests, enabling access to internal and external resources available through the network or filesystem. Exploitation of this vulnerability could lead to unauthorized access to sensitive data and systems, including resources within private networks, as long as they are reachable by the affected product.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
wso2 identity_server_as_key_manager 5.5.0
wso2 identity_server 5.2.0
wso2 open_banking_km 1.4.0
wso2 identity_server_as_key_manager 5.3.0
wso2 open_banking_km 1.5.0
wso2 identity_server 5.5.0
wso2 open_banking_iam 2.0.0
wso2 identity_server 5.6.0
wso2 identity_server 5.11.0
wso2 identity_server_as_key_manager 5.6.0
wso2 identity_server 5.8.0
wso2 identity_server 7.0.0
wso2 identity_server_as_key_manager 5.7.0
wso2 identity_server 5.7.0
wso2 open_banking_km 1.3.0
wso2 identity_server_as_key_manager 5.9.0
wso2 identity_server 5.3.0
wso2 identity_server 5.4.1
wso2 identity_server 6.0.0
wso2 identity_server 5.9.0
wso2 identity_server 6.1.0
wso2 identity_server 5.10.0
wso2 identity_server_as_key_manager 5.10.0
wso2 identity_server 5.4.0
CVE-2024-7096

A privilege escalation vulnerability exists in multiple [Vendor Name] products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: * SOAP admin services are accessible to the attacker. * The deployment includes an internally used attribute that is not part of the default WSO2 product configuration. * At least one custom role exists with non-default permissions. * The attacker has knowledge of the custom role and the internal attribute used in the deployment. Exploiting this vulnerability allows malicious actors to assign higher privileges to self-registered users, bypassing intended access control mechanisms.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 4.2 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 1.6 2.5

Products Affected

Vendor Product Version
wso2 identity_server_as_key_manager 5.5.0
wso2 api_manager 2.0.0
wso2 api_manager 3.0.0
wso2 api_manager 4.3.0
wso2 open_banking_am 1.3.0
wso2 api_manager 4.1.0
wso2 api_manager 2.6.0
wso2 identity_server 5.2.0
wso2 api_manager 3.2.0
wso2 open_banking_km 1.4.0
wso2 identity_server_as_key_manager 5.3.0
wso2 open_banking_km 1.5.0
wso2 open_banking_am 1.5.0
wso2 identity_server 5.5.0
wso2 api_manager 2.1.0
wso2 open_banking_iam 2.0.0
wso2 open_banking_am 1.4.0
wso2 identity_server 5.6.0
wso2 identity_server 5.11.0
wso2 api_manager 3.2.1
wso2 identity_server_as_key_manager 5.6.0
wso2 open_banking_am 2.0.0
wso2 api_manager 3.1.0
wso2 identity_server 5.8.0
wso2 api_manager 2.2.0
wso2 api_manager 4.2.0
wso2 identity_server 7.0.0
wso2 identity_server_as_key_manager 5.7.0
wso2 api_manager 4.0.0
wso2 identity_server 5.7.0
wso2 open_banking_km 1.3.0
wso2 api_manager 2.5.0
wso2 identity_server_as_key_manager 5.9.0
wso2 identity_server 5.3.0
wso2 identity_server 5.4.1
wso2 identity_server 6.0.0
wso2 identity_server 5.9.0
wso2 identity_server 6.1.0
wso2 identity_server 5.10.0
wso2 identity_server_as_key_manager 5.10.0
wso2 identity_server 5.4.0
CVE-2024-7097

An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization. Exploitation of this flaw could allow an attacker to create multiple low-privileged user accounts, gaining unauthorized access to the system. Additionally, continuous exploitation could lead to system resource exhaustion through mass user creation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
wso2 identity_server_as_key_manager 5.5.0
wso2 api_manager 3.0.0
wso2 api_manager 4.3.0
wso2 api_manager 4.1.0
wso2 api_manager 2.6.0
wso2 identity_server 5.2.0
wso2 api_manager 3.2.0
wso2 open_banking_km 1.4.0
wso2 identity_server_as_key_manager 5.3.0
wso2 open_banking_km 1.5.0
wso2 identity_server 5.5.0
wso2 api_manager 2.1.0
wso2 open_banking_iam 2.0.0
wso2 identity_server 5.6.0
wso2 identity_server 5.11.0
wso2 api_manager 3.2.1
wso2 identity_server_as_key_manager 5.6.0
wso2 open_banking_am 2.0.0
wso2 api_manager 3.1.0
wso2 identity_server 5.8.0
wso2 api_manager 2.2.0
wso2 api_manager 4.2.0
wso2 identity_server 7.0.0
wso2 identity_server_as_key_manager 5.7.0
wso2 api_manager 4.0.0
wso2 identity_server 5.7.0
wso2 open_banking_km 1.3.0
wso2 api_manager 2.5.0
wso2 identity_server_as_key_manager 5.9.0
wso2 identity_server 5.3.0
wso2 identity_server 5.4.1
wso2 identity_server 6.0.0
wso2 identity_server 5.9.0
wso2 identity_server 6.1.0
wso2 identity_server 5.10.0
wso2 identity_server_as_key_manager 5.10.0
wso2 identity_server 5.4.0
CVE-2024-7103

A reflected cross-site scripting (XSS) vulnerability exists in the sub-organization login flow of WSO2 Identity Server 7.0.0 due to improper input validation. A malicious actor can exploit this vulnerability to inject arbitrary JavaScript into the login flow, potentially leading to UI modifications, redirections to malicious websites, or data exfiltration from the browser. While this issue could allow an attacker to manipulate the user’s browser, session-related sensitive cookies remain protected with the httpOnly flag, preventing session hijacking.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 2.1 2.5

Products Affected

Vendor Product Version
wso2 identity_server 7.0.0
CVE-2024-7487

An improper authentication vulnerability exists in WSO2 Identity Server 7.0.0 due to an implementation flaw that allows app-native authentication to be bypassed when an invalid object is passed. Exploitation of this vulnerability could enable malicious actors to circumvent the client verification mechanism, compromising the integrity of the authentication process.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 5.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
wso2 identity_server 7.0.0
CVE-2024-8008

A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 5.2 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.1 2.7

Products Affected

Vendor Product Version
wso2 api_manager 4.2.0
wso2 api_manager 4.3.0
wso2 identity_server 7.0.0
wso2 api_manager 4.1.0
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
wso2 open_banking_iam 2.0.0
wso2 identity_server 6.0.0
wso2 identity_server 5.11.0
wso2 identity_server 6.1.0
wso2 api_manager 3.2.1
wso2 identity_server 5.10.0
wso2 open_banking_am 2.0.0
wso2 api_manager 3.1.0
wso2 identity_server_as_key_manager 5.10.0
wso2 enterprise_integrator 6.6.0
CVE-2025-0209

A reflected cross-site scripting (XSS) vulnerability exists in the account registration flow of WSO2 Identity Server due to improper output encoding. A malicious actor can exploit this vulnerability by injecting a crafted payload that is reflected in the server response, enabling the execution of arbitrary JavaScript in the victim's browser. This vulnerability could allow attackers to redirect users to malicious websites, modify the user interface, or exfiltrate data from the browser. However, session-related sensitive cookies are protected using the httpOnly flag, which mitigates the risk of session hijacking.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
wso2 identity_server 7.0.0
CVE-2025-0663

A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single cryptographic key is used across all tenants to sign authentication cookies, allowing a privileged user in one tenant to forge authentication cookies for users in other tenants. Because the Auto-Login feature is enabled by default, this flaw may allow an attacker to gain unauthorized access and potentially take over accounts in other tenants. Successful exploitation requires access to Adaptive Authentication functionality, which is typically restricted to high-privileged users. The vulnerability is only exploitable when Auto-Login is enabled, reducing its practical impact in deployments where the feature is disabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 6.8 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

Products Affected

Vendor Product Version
wso2 open_banking_iam 2.0.0
wso2 identity_server 6.0.0
wso2 identity_server 5.11.0
wso2 identity_server 6.1.0
wso2 identity_server 5.10.0
wso2 identity_server 7.0.0
wso2 identity_server_as_key_manager 5.10.0
CVE-2025-0672

An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may associate the new account with the previously registered FIDO device. This flaw may allow a previously deleted user to authenticate using their FIDO credentials and impersonate the newly created user, resulting in unauthorized access. The vulnerability applies only to deployments that utilize FIDO-based authentication.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 3.3 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N 0.7 2.5
nvd@nist.gov 3.8 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N 1.2 2.5

Products Affected

Vendor Product Version
wso2 open_banking_iam 2.0.0
wso2 identity_server 5.11.0
wso2 identity_server 5.10.0
wso2 identity_server_as_key_manager 5.10.0
CVE-2025-10611

Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
wso2 identity_server_as_key_manager 5.5.0
wso2 identity_server 7.1.0
wso2 api_manager 3.0.0
wso2 api_manager 4.3.0
wso2 api_manager 4.1.0
wso2 api_manager 2.6.0
wso2 api_manager 3.2.0
wso2 open_banking_km 1.4.0
wso2 identity_server_as_key_manager 5.3.0
wso2 open_banking_km 1.5.0
wso2 open_banking_am 1.5.0
wso2 identity_server 5.5.0
wso2 api_manager 2.1.0
wso2 open_banking_iam 2.0.0
wso2 open_banking_am 1.4.0
wso2 identity_server 5.6.0
wso2 identity_server 5.11.0
wso2 api_manager 3.2.1
wso2 api_manager 4.4.0
wso2 identity_server_as_key_manager 5.6.0
wso2 open_banking_am 2.0.0
wso2 api_manager 3.1.0
wso2 identity_server 5.8.0
wso2 api_manager 2.2.0
wso2 api_manager 4.2.0
wso2 api_manager 4.5.0
wso2 identity_server 7.0.0
wso2 identity_server_as_key_manager 5.7.0
wso2 api_manager 4.0.0
wso2 identity_server 5.7.0
wso2 api_manager 2.5.0
wso2 traffic_manager 4.5.0
wso2 identity_server_as_key_manager 5.9.0
wso2 identity_server 5.3.0
wso2 identity_server 6.0.0
wso2 identity_server 5.9.0
wso2 identity_server 6.1.0
wso2 api_control_plane 4.5.0
wso2 universal_gateway 4.5.0
wso2 identity_server 5.10.0
wso2 identity_server_as_key_manager 5.10.0
CVE-2025-10713

An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities. A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H 1.2 5.2

Products Affected

Vendor Product Version
wso2 identity_server 7.1.0
wso2 api_manager 4.2.0
wso2 api_manager 4.5.0
wso2 api_manager 4.3.0
wso2 api_manager 4.1.0
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
wso2 traffic_manager 4.5.0
wso2 open_banking_iam 2.0.0
wso2 identity_server 5.11.0
wso2 api_manager 3.2.1
wso2 api_manager 4.4.0
wso2 api_control_plane 4.5.0
wso2 universal_gateway 4.5.0
wso2 identity_server 5.10.0
wso2 open_banking_am 2.0.0
wso2 api_manager 3.1.0
wso2 enterprise_integrator 6.6.0
CVE-2025-10853

A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 5.2 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.1 2.7

Products Affected

Vendor Product Version
wso2 identity_server 7.1.0
wso2 api_manager 4.2.0
wso2 api_manager 4.5.0
wso2 api_manager 4.3.0
wso2 identity_server 7.0.0
wso2 api_manager 4.1.0
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
wso2 traffic_manager 4.5.0
wso2 open_banking_iam 2.0.0
wso2 identity_server 6.0.0
wso2 identity_server 5.11.0
wso2 identity_server 6.1.0
wso2 api_manager 3.2.1
wso2 api_manager 4.4.0
wso2 api_control_plane 4.5.0
wso2 universal_gateway 4.5.0
wso2 identity_server 5.10.0
wso2 open_banking_am 2.0.0
wso2 api_manager 3.1.0
wso2 identity_server_as_key_manager 5.10.0
wso2 enterprise_integrator 6.6.0
CVE-2025-10907

An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment. Successful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 8.4 HIGH CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.7 6.0

Products Affected

Vendor Product Version
wso2 identity_server 7.1.0
wso2 api_manager 4.2.0
wso2 api_manager 4.5.0
wso2 api_manager 4.3.0
wso2 identity_server 7.0.0
wso2 api_manager 4.1.0
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
wso2 traffic_manager 4.5.0
wso2 open_banking_iam 2.0.0
wso2 identity_server 6.0.0
wso2 identity_server 5.11.0
wso2 identity_server 6.1.0
wso2 api_manager 3.2.1
wso2 api_manager 4.4.0
wso2 api_control_plane 4.5.0
wso2 universal_gateway 4.5.0
wso2 identity_server 5.10.0
wso2 open_banking_am 2.0.0
wso2 api_manager 3.1.0
wso2 identity_server_as_key_manager 5.10.0
wso2 enterprise_integrator 6.6.0
CVE-2025-11093

An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment. By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 8.4 HIGH CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.7 6.0

Products Affected

Vendor Product Version
wso2 micro_integrator 4.0.0
wso2 api_manager 4.3.0
wso2 api_manager 4.1.0
wso2 micro_integrator 4.3.0
wso2 api_manager 3.2.0
wso2 api_manager 3.2.1
wso2 api_manager 4.4.0
wso2 traffic_manager *
wso2 api_manager 3.1.0
wso2 enterprise_integrator 6.6.0
wso2 micro_integrator 4.1.0
wso2 api_manager 4.2.0
wso2 api_manager 4.5.0
wso2 api_control_plane *
wso2 api_manager 4.0.0
wso2 api_manager *
wso2 traffic_manager 4.5.0
wso2 micro_integrator 4.2.0
wso2 universal_gateway *
wso2 micro_integrator *
wso2 enterprise_integrator *
wso2 api_control_plane 4.5.0
wso2 universal_gateway 4.5.0
wso2 micro_integrator 4.4.0
CVE-2025-12107

Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
wso2 identity_server 5.11.0
CVE-2025-13590

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 2.3 6.0
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
wso2 traffic_manager 4.5.0
wso2 traffic_manager 4.6.0
wso2 api_manager 4.6.0
wso2 api_manager 4.2.0
wso2 api_manager 4.5.0
wso2 universal_gateway 4.6.0
wso2 api_manager 4.3.0
wso2 api_manager 4.4.0
wso2 api_control_plane 4.5.0
wso2 universal_gateway 4.5.0
wso2 api_control_plane 4.6.0
CVE-2025-1396

A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validate_username setting. This behavior allows malicious actors to determine which usernames exist in the system based on observable discrepancies in the application's responses. Exploitation of this vulnerability could aid in brute-force attacks, targeted phishing campaigns, or other social engineering techniques by confirming the validity of user identifiers within the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
wso2 open_banking_iam 2.0.0
wso2 identity_server 6.0.0
wso2 identity_server 5.11.0
wso2 identity_server 6.1.0
wso2 identity_server 5.10.0
wso2 identity_server_as_key_manager 5.10.0
CVE-2025-1862

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL uploader SOAP service endpoint. A malicious actor with administrative privileges can upload arbitrary files to a user-controlled location on the server. By leveraging this vulnerability, an attacker can upload a specially crafted payload and achieve remote code execution (RCE), potentially compromising the server and its data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
ed10eef1-636d-4fbe-9993-6890dfa878f8 6.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L 1.2 5.5

Products Affected

Vendor Product Version
wso2 open_banking_iam 2.0.0
wso2 identity_server 6.0.0
wso2 identity_server 5.11.0
wso2 identity_server 6.1.0
wso2 identity_server 5.10.0
wso2 identity_server_as_key_manager 5.10.0
wso2 enterprise_integrator 6.6.0
CVE-2025-2905

Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: * Read sensitive files from the server’s filesystem. * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

Products Affected

Vendor Product Version
wso2 api_manager *
CVE-2025-3125

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE). This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 6.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L 1.2 5.5

Products Affected

Vendor Product Version
wso2 api_manager 4.2.0
wso2 api_manager 4.5.0
wso2 api_manager 4.3.0
wso2 identity_server 7.0.0
wso2 api_manager 4.1.0
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
wso2 traffic_manager 4.5.0
wso2 open_banking_iam 2.0.0
wso2 identity_server 6.0.0
wso2 identity_server 5.11.0
wso2 identity_server 6.1.0
wso2 api_manager 3.2.1
wso2 api_manager 4.4.0
wso2 api_control_plane 4.5.0
wso2 universal_gateway 4.5.0
wso2 identity_server 5.10.0
wso2 identity_server_as_key_manager 5.10.0
wso2 enterprise_integrator 6.6.0
CVE-2025-4760

An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users. A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
wso2 traffic_manager 4.5.0
wso2 api_manager 4.2.0
wso2 api_manager 4.5.0
wso2 api_manager 3.2.1
wso2 api_manager 4.3.0
wso2 api_manager 4.4.0
wso2 api_control_plane 4.5.0
wso2 universal_gateway 4.5.0
wso2 api_manager 4.1.0
wso2 api_manager 3.2.0
CVE-2025-5350

SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user's browser context. By tricking an administrator into accessing a crafted link, an attacker could force the server to fetch malicious content and reflect it into the admin’s browser, leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. While session cookies are protected with the HttpOnly flag, the XSS still poses a significant security risk. Furthermore, SSRF can be used by a privileged user to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable from the affected product.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 5.9 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L 1.7 3.7

Products Affected

Vendor Product Version
wso2 identity_server 7.1.0
wso2 api_manager 4.2.0
wso2 api_manager 4.5.0
wso2 api_manager 4.3.0
wso2 identity_server 7.0.0
wso2 api_manager 4.1.0
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
wso2 traffic_manager 4.5.0
wso2 open_banking_iam 2.0.0
wso2 identity_server 6.0.0
wso2 identity_server 5.11.0
wso2 identity_server 6.1.0
wso2 api_manager 3.2.1
wso2 api_manager 4.4.0
wso2 api_control_plane 4.5.0
wso2 universal_gateway 4.5.0
wso2 identity_server 5.10.0
wso2 open_banking_am 2.0.0
wso2 api_manager 3.1.0
wso2 identity_server_as_key_manager 5.10.0
wso2 enterprise_integrator 6.6.0
CVE-2025-5605

An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure. The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
wso2 identity_server 7.1.0
wso2 api_manager 4.2.0
wso2 api_manager 4.5.0
wso2 api_manager 4.3.0
wso2 identity_server 7.0.0
wso2 api_manager 4.1.0
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
wso2 traffic_manager 4.5.0
wso2 open_banking_iam 2.0.0
wso2 identity_server 6.0.0
wso2 identity_server 5.11.0
wso2 identity_server 6.1.0
wso2 api_manager 3.2.1
wso2 api_manager 4.4.0
wso2 api_control_plane 4.5.0
wso2 universal_gateway 4.5.0
wso2 identity_server 5.10.0
wso2 open_banking_am 2.0.0
wso2 api_manager 3.1.0
wso2 identity_server_as_key_manager 5.10.0
wso2 enterprise_integrator 6.6.0
CVE-2025-5717

An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution plan containing malicious Java code, resulting in arbitrary code execution on the server. Exploitation of this vulnerability requires a valid user account with administrative privileges, limiting the attack surface to authenticated but potentially malicious users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 6.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L 1.2 5.5

Products Affected

Vendor Product Version
wso2 api_manager 4.2.0
wso2 api_manager 4.5.0
wso2 api_manager 3.0.0
wso2 api_manager 4.3.0
wso2 api_manager 4.1.0
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
wso2 traffic_manager 4.5.0
wso2 api_manager 3.2.1
wso2 api_manager 4.4.0
wso2 api_control_plane 4.5.0
wso2 open_banking_am 2.0.0
wso2 api_manager 3.1.0
CVE-2025-5770

A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks. Exploitation may result in redirection to malicious websites, UI manipulation, or unauthorized data access from the victim’s browser. However, session-related cookies are protected with the httpOnly flag, which mitigates session hijacking via this vector.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
wso2 identity_server 7.1.0
wso2 api_manager 4.2.0
wso2 identity_server 6.0.0
wso2 api_manager 4.5.0
wso2 identity_server 6.1.0
wso2 api_manager 4.3.0
wso2 api_manager 4.4.0
wso2 api_control_plane 4.5.0
wso2 identity_server 7.0.0
CVE-2025-6670

A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows cookies to be sent with cross-origin top-level navigations using GET requests. A malicious actor can exploit this vulnerability by tricking an authenticated user into visiting a crafted link, leading the browser to issue unintended state-changing requests. Successful exploitation could result in unauthorized operations such as data modification, account changes, or other administrative actions. According to WSO2 Secure Production Guidelines, exposure of Carbon console services to untrusted networks is discouraged, which may reduce the impact in properly secured deployments.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
wso2 traffic_manager 4.6.0
wso2 identity_server 7.1.0
wso2 api_manager 4.6.0
wso2 api_manager 4.3.0
wso2 api_manager 4.1.0
wso2 api_manager 3.2.0
wso2 open_banking_iam 2.0.0
wso2 identity_server 5.11.0
wso2 universal_gateway 4.6.0
wso2 api_manager 3.2.1
wso2 api_manager 4.4.0
wso2 open_banking_am 2.0.0
wso2 api_manager 3.1.0
wso2 api_control_plane 4.6.0
wso2 identity_server 7.2.0
wso2 enterprise_integrator 6.6.0
wso2 api_manager 4.2.0
wso2 api_manager 4.5.0
wso2 identity_server 7.0.0
wso2 api_manager 4.0.0
wso2 traffic_manager 4.5.0
wso2 identity_server 6.0.0
wso2 identity_server 6.1.0
wso2 api_control_plane 4.5.0
wso2 universal_gateway 4.5.0
wso2 identity_server 5.10.0
wso2 identity_server_as_key_manager 5.10.0
CVE-2025-9152

An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges, potentially leading to administrative access and the ability to perform unauthorized operations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
wso2 api_manager 4.2.0
wso2 api_manager 4.5.0
wso2 api_manager 3.2.1
wso2 api_manager 4.3.0
wso2 api_manager 4.4.0
wso2 api_control_plane 4.5.0
wso2 api_manager 4.1.0
wso2 api_manager 3.2.0
wso2 api_manager 4.0.0
CVE-2025-9312

A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the affected components may permit unauthenticated requests even when mTLS is enabled. This condition occurs when relying on the default mTLS settings for System REST APIs or when the mTLS authenticator is enabled for SOAP services, causing these interfaces to accept requests without enforcing additional authentication. Successful exploitation allows a malicious actor with network access to the affected endpoints to gain administrative privileges and perform unauthorized operations. The vulnerability is exploitable only when the impacted mTLS flows are enabled and accessible in a given deployment. Other certificate-based authentication mechanisms such as Mutual TLS OAuth client authentication and X.509 login flows are not affected, and APIs served through the API Gateway of WSO2 API Manager remain unaffected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
wso2 identity_server_as_key_manager 5.5.0
wso2 identity_server 7.1.0
wso2 api_manager 3.0.0
wso2 api_manager 4.3.0
wso2 api_manager 4.1.0
wso2 api_manager 2.6.0
wso2 identity_server 5.2.0
wso2 api_manager 3.2.0
wso2 open_banking_km 1.4.0
wso2 identity_server_as_key_manager 5.3.0
wso2 open_banking_km 1.5.0
wso2 open_banking_am 1.5.0
wso2 identity_server 5.5.0
wso2 open_banking_iam 2.0.0
wso2 open_banking_am 1.4.0
wso2 identity_server 5.6.0
wso2 identity_server 5.11.0
wso2 api_manager 3.2.1
wso2 api_manager 4.4.0
wso2 identity_server_as_key_manager 5.6.0
wso2 open_banking_am 2.0.0
wso2 api_manager 3.1.0
wso2 identity_server 7.2.0
wso2 identity_server 5.8.0
wso2 api_manager 2.2.0
wso2 api_manager 4.2.0
wso2 api_manager 4.5.0
wso2 identity_server 7.0.0
wso2 identity_server_as_key_manager 5.7.0
wso2 api_manager 4.0.0
wso2 identity_server 5.7.0
wso2 api_manager 2.5.0
wso2 traffic_manager 4.5.0
wso2 identity_server_as_key_manager 5.9.0
wso2 identity_server 5.3.0
wso2 identity_server 5.4.1
wso2 identity_server 6.0.0
wso2 identity_server 5.9.0
wso2 identity_server 6.1.0
wso2 api_control_plane 4.5.0
wso2 universal_gateway 4.5.0
wso2 identity_server 5.10.0
wso2 identity_server_as_key_manager 5.10.0
wso2 identity_server 5.4.0
CVE-2025-9804

An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 9.6 CRITICAL CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 2.8 6.0

Products Affected

Vendor Product Version
wso2 api_manager 2.0.0
wso2 api_manager 3.0.0
wso2 api_manager 2.6.0
wso2 identity_server 5.2.0
wso2 enterprise_integrator 6.2.0
wso2 identity_server_as_key_manager 5.3.0
wso2 identity_server 5.5.0
wso2 open_banking_iam 2.0.0
wso2 open_banking_am 1.4.0
wso2 identity_server 5.6.0
wso2 identity_server 5.11.0
wso2 api_manager 3.2.1
wso2 api_manager 4.4.0
wso2 data_analytics_server 3.2.0
wso2 identity_server_as_key_manager 5.6.0
wso2 open_banking_am 2.0.0
wso2 api_manager_analytics 2.2.0
wso2 api_manager 2.2.0
wso2 api_manager 4.2.0
wso2 api_manager 4.5.0
wso2 identity_server 7.0.0
wso2 identity_server_as_key_manager 5.7.0
wso2 api_manager 2.5.0
wso2 identity_server_analytics 5.5.0
wso2 identity_server 6.0.0
wso2 identity_server 5.9.0
wso2 identity_server 6.1.0
wso2 identity_server_analytics 5.6.0
wso2 identity_server_as_key_manager 5.10.0
wso2 enterprise_service_bus 5.0.0
wso2 identity_server_as_key_manager 5.5.0
wso2 identity_server 7.1.0
wso2 data_analytics_server 3.1.0
wso2 api_manager 4.3.0
wso2 api_manager 4.1.0
wso2 api_manager 3.2.0
wso2 open_banking_km 1.4.0
wso2 open_banking_km 1.5.0
wso2 open_banking_am 1.5.0
wso2 api_manager 2.1.0
wso2 api_manager 3.1.0
wso2 enterprise_mobility_manager 2.2.0
wso2 identity_server 5.8.0
wso2 enterprise_integrator 6.3.0
wso2 api_manager 4.0.0
wso2 identity_server 5.7.0
wso2 identity_server_analytics 5.2.0
wso2 api_manager_analytics 2.5.0
wso2 traffic_manager 4.5.0
wso2 identity_server_analytics 5.3.0
wso2 identity_server_as_key_manager 5.9.0
wso2 identity_server 5.3.0
wso2 identity_server 5.4.1
wso2 api_manager_analytics 2.1.0
wso2 api_manager_analytics 2.0.0
wso2 api_control_plane 4.5.0
wso2 universal_gateway 4.5.0
wso2 identity_server 5.10.0
wso2 identity_server 5.4.0
CVE-2025-9955

An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details that are not intended to be exposed at that privilege level. While no credentials or sensitive user information are exposed, this vulnerability may allow unauthorized visibility into internal operational details, which could aid in further exploitation or reconnaissance.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ed10eef1-636d-4fbe-9993-6890dfa878f8 5.7 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.1 3.6

Products Affected

Vendor Product Version
wso2 enterprise_integrator 6.1.0
wso2 enterprise_service_bus 5.0.0
wso2 enterprise_integrator 6.0.0
wso2 enterprise_integrator 6.1.1
wso2 enterprise_integrator 6.3.0
wso2 enterprise_integrator 6.5.0
wso2 enterprise_integrator 6.4.0
wso2 enterprise_integrator 6.2.0
wso2 enterprise_integrator 6.6.0