CVSS: 4.3EPSS: 0%CPEs: 28EXPL: 0CVE-2024-3511 – Incorrect Authorization in Multiple WSO2 Products Allows Unauthorized Access to Registry Versioned Files
https://notcve.org/view.php?id=CVE-2024-3511
23 Jun 2025 — An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization. Successful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aidin... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-2702 • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 16EXPL: 0CVE-2024-1440 – Open Redirection in Multiple WSO2 Products via Multi-Option Authentication Endpoint
https://notcve.org/view.php?id=CVE-2024-1440
02 Jun 2025 — An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site. By exploiting this vulnerability, an attacker may trick users into visiting a malicious page, enabling phishing attacks to harvest sensitive information or perform other harmful actions. Existe una vulnerabilidad de redirecc... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3171 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.2EPSS: 0%CPEs: 26EXPL: 0CVE-2024-8008 – Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products via JDBC User Store Connection Validation
https://notcve.org/view.php?id=CVE-2024-8008
02 Jun 2025 — A reflected cross-site scripting (XSS) vulnerability exists in multiple [Vendor Name] products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, sinc... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 28EXPL: 0CVE-2024-3509 – Stored Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products via Rich Text Editor
https://notcve.org/view.php?id=CVE-2024-3509
02 Jun 2025 — A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient input validation in the Rich Text Editor within the registry section. To exploit this vulnerability, a malicious actor must have a valid user account with administrative access to the Management Console. If successful, the actor could inject persistent JavaScript payloads, enabling the theft of user data or execution of unauthorized actions on behalf of other users. While this iss... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-2701 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 42EXPL: 0CVE-2024-7097 – Incorrect Authorization in Multiple WSO2 Products via SOAP Admin Service Allowing Unauthorized User Signup
https://notcve.org/view.php?id=CVE-2024-7097
30 May 2025 — An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization. Exploitation of this flaw could allow an attacker to create multiple low-privileged user accounts, gaining unauthorized access to the system. Additionally, continuous exploitation could lead to system... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3574 • CWE-863: Incorrect Authorization •
CVSS: 4.2EPSS: 0%CPEs: 41EXPL: 0CVE-2024-7096 – Privilege Escalation in Multiple WSO2 Products via SOAP Admin Service Due to Business Logic Flaw
https://notcve.org/view.php?id=CVE-2024-7096
30 May 2025 — A privilege escalation vulnerability exists in multiple [Vendor Name] products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: * SOAP admin services are accessible to the attacker. * The deployment includes an internally used attribute that is not part of the default WSO2 product configuration. * At least one custom role exists with non-default permissions. * The attacker has knowledge o... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3573 • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-5962 – Reflected Cross-Site Scripting (XSS) in Authentication Endpoint of Multiple WSO2 Products Due to Missing Output Encoding
https://notcve.org/view.php?id=CVE-2024-5962
22 May 2025 — A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoint of multiple WSO2 products due to missing output encoding of user-supplied input. A malicious actor can exploit this vulnerability to inject arbitrary JavaScript into the authentication flow, potentially leading to UI modifications, redirections to malicious websites, or data exfiltration from the browser. While this issue could allow an attacker to manipulate the user’s browser, session-related sensitive cookies remai... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3443 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2905 – Unauthenticated XML External Entity (XXE) Vulnerability in WSO2 API Manager Gateway Component
https://notcve.org/view.php?id=CVE-2025-2905
05 May 2025 — An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution. This vulnerability can be exploited by an unauthenticated remote attacker to read files from the server’s filesystem or perform denial-of-service (DoS) attacks. * On systems running JDK 7 or early JDK 8, full file contents may be exposed. * On later ve... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2024-5848 – Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products Due to Improper Input Validation
https://notcve.org/view.php?id=CVE-2024-5848
27 Feb 2025 — A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper input validation. User-supplied data is directly included in server responses from vulnerable service endpoints without proper sanitization or encoding, allowing an attacker to inject malicious JavaScript. Successful exploitation could lead to UI manipulation, redirection to malicious websites, or data exfiltration from the browser. While session-related sensitive cookies are protected with the httpOnly fla... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3450 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0CVE-2024-2321 – Incorrect Authorization in Multiple WSO2 Products Allows API Access via Refresh Token
https://notcve.org/view.php?id=CVE-2024-2321
27 Feb 2025 — An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the expected access token. Due to improper authorization checks and token mapping, session cookies are not required for API access, potentially enabling unauthorized operations. Exploitation requires an attacker to obtain a valid refresh token of an admin user. Since refresh tokens generally have a longer expiration time, this could lead to prolonged una... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3213 • CWE-863: Incorrect Authorization •