CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2024-5848 – Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products Due to Improper Input Validation
https://notcve.org/view.php?id=CVE-2024-5848
27 Feb 2025 — A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper input validation. User-supplied data is directly included in server responses from vulnerable service endpoints without proper sanitization or encoding, allowing an attacker to inject malicious JavaScript. Successful exploitation could lead to UI manipulation, redirection to malicious websites, or data exfiltration from the browser. While session-related sensitive cookies are protected with the httpOnly fla... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3450 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0392 – Cross-Site Request Forgery (CSRF) in WSO2 Enterprise Integrator 6.6.0 Management Console Due to Missing CSRF Token Validation
https://notcve.org/view.php?id=CVE-2024-0392
27 Feb 2025 — A Cross-Site Request Forgery (CSRF) vulnerability exists in the management console of WSO2 Enterprise Integrator 6.6.0 due to the absence of CSRF token validation. This flaw allows attackers to craft malicious requests that can trigger state-changing operations on behalf of an authenticated user, potentially compromising account settings and data integrity. The vulnerability only affects a limited set of state-changing operations, and successful exploitation requires social engineering to trick a user with ... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2023-2987 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0CVE-2024-2321 – Incorrect Authorization in Multiple WSO2 Products Allows API Access via Refresh Token
https://notcve.org/view.php?id=CVE-2024-2321
27 Feb 2025 — An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the expected access token. Due to improper authorization checks and token mapping, session cookies are not required for API access, potentially enabling unauthorized operations. Exploitation requires an attacker to obtain a valid refresh token of an admin user. Since refresh tokens generally have a longer expiration time, this could lead to prolonged una... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3213 • CWE-863: Incorrect Authorization •
CVSS: 4.8EPSS: 0%CPEs: 35EXPL: 0CVE-2023-6911
https://notcve.org/view.php?id=CVE-2023-6911
18 Dec 2023 — Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console. Se han identificado varios productos WSO2 como vulnerables debido a una codificación de salida incorrecta; un atacante puede llevar a cabo un ataque de Cross-Site Scripting (XSS) Almacenado inyectando un payload malicioso en la función de registro de Management... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1225 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6839
https://notcve.org/view.php?id=CVE-2023-6839
15 Dec 2023 — Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response. Debido a un manejo inadecuado de errores, un recurso de API REST podría exponer un error del lado del servidor que contenga un nombre de paquete interno específico de WSO2 en la respuesta HTTP. • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1334 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6838
https://notcve.org/view.php?id=CVE-2023-6838
15 Dec 2023 — Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests. Vulnerabilidad XSS reflejada se puede explotar alterando un parámetro de solicitud en el endpoint de autenticación. Esto se puede realizar tanto en solicitudes autenticadas como no autenticadas. • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1233 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 26EXPL: 0CVE-2023-6837
https://notcve.org/view.php?id=CVE-2023-6837
15 Dec 2023 — Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met: * An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option. * A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled. ... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573 •
CVSS: 7.8EPSS: 0%CPEs: 14EXPL: 0CVE-2023-6836
https://notcve.org/view.php?id=CVE-2023-6836
15 Dec 2023 — Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information. Se han identificado varios productos WSO2 como vulnerables debido a que un ataque de entidad externa XML (XXE) abusa de una característica ampliamente disponible pero rara vez utilizada de los analizadores XML para acceder a información confidencial. • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6835
https://notcve.org/view.php?id=CVE-2023-6835
15 Dec 2023 — Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated. Se han identificado varios productos WSO2 como vulnerables debido a la falta de validación de entrada del lado del servidor en la función Foro; la clasificación API podría manipularse. Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated. • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1357 • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 26%CPEs: 1EXPL: 1CVE-2023-31664
https://notcve.org/view.php?id=CVE-2023-31664
23 May 2023 — A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter. • https://github.com/adilkhan7/CVE-2023-31664 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •