CVSS: 7.8EPSS: 0%CPEs: 14EXPL: 0CVE-2023-6836
https://notcve.org/view.php?id=CVE-2023-6836
15 Dec 2023 — Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information. Se han identificado varios productos WSO2 como vulnerables debido a que un ataque de entidad externa XML (XXE) abusa de una característica ampliamente disponible pero rara vez utilizada de los analizadores XML para acceder a información confidencial. • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6835
https://notcve.org/view.php?id=CVE-2023-6835
15 Dec 2023 — Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated. Se han identificado varios productos WSO2 como vulnerables debido a la falta de validación de entrada del lado del servidor en la función Foro; la clasificación API podría manipularse. Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated. • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1357 • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 18%CPEs: 1EXPL: 1CVE-2023-31664
https://notcve.org/view.php?id=CVE-2023-31664
23 May 2023 — A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter. • https://github.com/adilkhan7/CVE-2023-31664 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4520 – WSO2 carbon-registry Advanced Search advancedSearchForm-ajaxprocessor.jsp cross site scripting
https://notcve.org/view.php?id=CVE-2022-4520
15 Dec 2022 — A vulnerability was found in WSO2 carbon-registry up to 4.8.11. It has been rated as problematic. Affected by this issue is some unknown functionality of the file components/registry/org.wso2.carbon.registry.search.ui/src/main/resources/web/search/advancedSearchForm-ajaxprocessor.jsp of the component Advanced Search. The manipulation of the argument mediaType/rightOp/leftOp/rightPropertyValue/leftPropertyValue leads to cross site scripting. The attack may be launched remotely. • https://github.com/wso2/carbon-registry/commit/0c827cc1b14b82d8eb86117ab2e43c34bb91ddb4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-707: Improper Neutralization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4521 – WSO2 carbon-registry Request Parameter cross site scripting
https://notcve.org/view.php?id=CVE-2022-4521
15 Dec 2022 — A vulnerability classified as problematic has been found in WSO2 carbon-registry up to 4.8.6. This affects an unknown part of the component Request Parameter Handler. The manipulation of the argument parentPath/path/username/path/profile_menu leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 4.8.7 is able to address this issue. • https://github.com/wso2/carbon-registry/commit/9f967abfde9317bee2cda469dbc09b57d539f2cc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 5%CPEs: 1EXPL: 0CVE-2022-39810
https://notcve.org/view.php?id=CVE-2022-39810
09 Sep 2022 — An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/ndatasource/validateconnection/ajaxprocessor.jsp via the driver parameter. Session hijacking or similar attacks would not be possible. Se ha detectado un problema en WSO2 Enterprise Integrator versión 6.4.0. Se ha identificado una vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejado en la consola de administración en el archivo /... • https://www.gruppotim.it/it/footer/red-team.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39809
https://notcve.org/view.php?id=CVE-2022-39809
09 Sep 2022 — An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/mediation_secure_vault/properties/ajaxprocessor.jsp via the name parameter. Session hijacking or similar attacks would not be possible. Se ha detectado un problema en WSO2 Enterprise Integrator versión 6.4.0. Se ha identificado una vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejado en la consola de administración en el archivo ... • https://www.gruppotim.it/it/footer/red-team.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 1%CPEs: 13EXPL: 0CVE-2021-42646 – WSO2 Management Console XML Injection
https://notcve.org/view.php?id=CVE-2021-42646
11 May 2022 — XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests. Una vulnerabilidad de tipo XML External Entity (XXE) en la función de creación de proveedores de se... • http://packetstormsecurity.com/files/167465/WSO2-Management-Console-XML-Injection.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.1EPSS: 79%CPEs: 31EXPL: 4CVE-2022-29548 – WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-29548
21 Apr 2022 — A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1... • https://packetstorm.news/files/id/167587 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 94%CPEs: 11EXPL: 38CVE-2022-29464 – WSO2 Multiple Products Unrestrictive Upload of File Vulnerability
https://notcve.org/view.php?id=CVE-2022-29464
18 Apr 2022 — Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, W... • https://packetstorm.news/files/id/166921 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •