CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2905 – Unauthenticated XML External Entity (XXE) Vulnerability in WSO2 API Manager Gateway Component
https://notcve.org/view.php?id=CVE-2025-2905
05 May 2025 — An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution. This vulnerability can be exploited by an unauthenticated remote attacker to read files from the server’s filesystem or perform denial-of-service (DoS) attacks. * On systems running JDK 7 or early JDK 8, full file contents may be exposed. * On later ve... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2024-5848 – Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products Due to Improper Input Validation
https://notcve.org/view.php?id=CVE-2024-5848
27 Feb 2025 — A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper input validation. User-supplied data is directly included in server responses from vulnerable service endpoints without proper sanitization or encoding, allowing an attacker to inject malicious JavaScript. Successful exploitation could lead to UI manipulation, redirection to malicious websites, or data exfiltration from the browser. While session-related sensitive cookies are protected with the httpOnly fla... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3450 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0392 – Cross-Site Request Forgery (CSRF) in WSO2 Enterprise Integrator 6.6.0 Management Console Due to Missing CSRF Token Validation
https://notcve.org/view.php?id=CVE-2024-0392
27 Feb 2025 — A Cross-Site Request Forgery (CSRF) vulnerability exists in the management console of WSO2 Enterprise Integrator 6.6.0 due to the absence of CSRF token validation. This flaw allows attackers to craft malicious requests that can trigger state-changing operations on behalf of an authenticated user, potentially compromising account settings and data integrity. The vulnerability only affects a limited set of state-changing operations, and successful exploitation requires social engineering to trick a user with ... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2023-2987 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0CVE-2024-2321 – Incorrect Authorization in Multiple WSO2 Products Allows API Access via Refresh Token
https://notcve.org/view.php?id=CVE-2024-2321
27 Feb 2025 — An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the expected access token. Due to improper authorization checks and token mapping, session cookies are not required for API access, potentially enabling unauthorized operations. Exploitation requires an attacker to obtain a valid refresh token of an admin user. Since refresh tokens generally have a longer expiration time, this could lead to prolonged una... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3213 • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 0%CPEs: 58EXPL: 0CVE-2024-6914 – Incorrect Authorization in Multiple WSO2 Products via Account Recovery SOAP Admin Service Leading to Account Takeover
https://notcve.org/view.php?id=CVE-2024-6914
30 Dec 2024 — An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account takeover, including accounts with elevated privileges. This vulnerability is exploitable only through the account recovery SOAP admin services exposed via the "/services" context path in affected products. The impact may be reduced if ... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3561 • CWE-863: Incorrect Authorization •
CVSS: 7.2EPSS: 0%CPEs: 49EXPL: 0CVE-2024-7074 – Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Service Leading to Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-7074
30 Dec 2024 — An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server. By leveraging this vulnerability, an attacker could upload a specially crafted payload, potentially achieving remote code execution (RCE) on the server. Exploitation requires valid admin credentials, limiting its impact to authorized but potentially ma... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3566 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.8EPSS: 0%CPEs: 35EXPL: 0CVE-2023-6911
https://notcve.org/view.php?id=CVE-2023-6911
18 Dec 2023 — Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console. Se han identificado varios productos WSO2 como vulnerables debido a una codificación de salida incorrecta; un atacante puede llevar a cabo un ataque de Cross-Site Scripting (XSS) Almacenado inyectando un payload malicioso en la función de registro de Management... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1225 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6839
https://notcve.org/view.php?id=CVE-2023-6839
15 Dec 2023 — Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response. Debido a un manejo inadecuado de errores, un recurso de API REST podría exponer un error del lado del servidor que contenga un nombre de paquete interno específico de WSO2 en la respuesta HTTP. • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1334 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6838
https://notcve.org/view.php?id=CVE-2023-6838
15 Dec 2023 — Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests. Vulnerabilidad XSS reflejada se puede explotar alterando un parámetro de solicitud en el endpoint de autenticación. Esto se puede realizar tanto en solicitudes autenticadas como no autenticadas. • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1233 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 26EXPL: 0CVE-2023-6837 – Incorrect Authorization in Multiple [Vendor Name] Products via Federated Authentication with JIT Provisioning Leading to User Impersonation
https://notcve.org/view.php?id=CVE-2023-6837
15 Dec 2023 — Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met: * An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option. * A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled. ... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573 • CWE-863: Incorrect Authorization •