CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4520 – WSO2 carbon-registry Advanced Search advancedSearchForm-ajaxprocessor.jsp cross site scripting
https://notcve.org/view.php?id=CVE-2022-4520
15 Dec 2022 — A vulnerability was found in WSO2 carbon-registry up to 4.8.11. It has been rated as problematic. Affected by this issue is some unknown functionality of the file components/registry/org.wso2.carbon.registry.search.ui/src/main/resources/web/search/advancedSearchForm-ajaxprocessor.jsp of the component Advanced Search. The manipulation of the argument mediaType/rightOp/leftOp/rightPropertyValue/leftPropertyValue leads to cross site scripting. The attack may be launched remotely. • https://github.com/wso2/carbon-registry/commit/0c827cc1b14b82d8eb86117ab2e43c34bb91ddb4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-707: Improper Neutralization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4521 – WSO2 carbon-registry Request Parameter cross site scripting
https://notcve.org/view.php?id=CVE-2022-4521
15 Dec 2022 — A vulnerability classified as problematic has been found in WSO2 carbon-registry up to 4.8.6. This affects an unknown part of the component Request Parameter Handler. The manipulation of the argument parentPath/path/username/path/profile_menu leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 4.8.7 is able to address this issue. • https://github.com/wso2/carbon-registry/commit/9f967abfde9317bee2cda469dbc09b57d539f2cc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 5%CPEs: 1EXPL: 0CVE-2022-39810
https://notcve.org/view.php?id=CVE-2022-39810
09 Sep 2022 — An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/ndatasource/validateconnection/ajaxprocessor.jsp via the driver parameter. Session hijacking or similar attacks would not be possible. Se ha detectado un problema en WSO2 Enterprise Integrator versión 6.4.0. Se ha identificado una vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejado en la consola de administración en el archivo /... • https://www.gruppotim.it/it/footer/red-team.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39809
https://notcve.org/view.php?id=CVE-2022-39809
09 Sep 2022 — An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/mediation_secure_vault/properties/ajaxprocessor.jsp via the name parameter. Session hijacking or similar attacks would not be possible. Se ha detectado un problema en WSO2 Enterprise Integrator versión 6.4.0. Se ha identificado una vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejado en la consola de administración en el archivo ... • https://www.gruppotim.it/it/footer/red-team.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 1%CPEs: 13EXPL: 0CVE-2021-42646 – WSO2 Management Console XML Injection
https://notcve.org/view.php?id=CVE-2021-42646
11 May 2022 — XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests. Una vulnerabilidad de tipo XML External Entity (XXE) en la función de creación de proveedores de se... • http://packetstormsecurity.com/files/167465/WSO2-Management-Console-XML-Injection.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.1EPSS: 72%CPEs: 31EXPL: 4CVE-2022-29548 – WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-29548
21 Apr 2022 — A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1... • https://packetstorm.news/files/id/167587 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 94%CPEs: 11EXPL: 35CVE-2022-29464 – WSO2 Multiple Products Unrestrictive Upload of File Vulnerability
https://notcve.org/view.php?id=CVE-2022-29464
18 Apr 2022 — Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, W... • https://packetstorm.news/files/id/166921 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 1%CPEs: 16EXPL: 0CVE-2021-36760
https://notcve.org/view.php?id=CVE-2021-36760
07 Dec 2021 — In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.) En el archivo accountrecoveryendpoint/recoverpassword.do en WSO2 Identity Server versión 5.7.0, es posible llevar a cabo un ... • https://docs.wso2.com/display/Security/2021+Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 76%CPEs: 17EXPL: 4CVE-2020-17453
https://notcve.org/view.php?id=CVE-2020-17453
05 Apr 2021 — WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter. WSO2 Management Console versiones hasta 5.10, permite un ataque de tipo XSS por medio del parámetro msgId en el archivo carbon/admin/login.jsp • https://github.com/karthi-the-hacker/CVE-2020-17453 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 1CVE-2020-27885
https://notcve.org/view.php?id=CVE-2020-27885
29 Oct 2020 — Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s password and invalidate the session of the victim while the hacker maintains access. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en WSO2 API Manager versión 3.1.0. Al explotar una vulnerabilidad de tipo Cross-site scripting el atacante puede se... • https://docs.wso2.com/display/Security/2020+Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •