CVSS: 4.3EPSS: 0%CPEs: 42EXPL: 0CVE-2024-7097 – Incorrect Authorization in Multiple WSO2 Products via SOAP Admin Service Allowing Unauthorized User Signup
https://notcve.org/view.php?id=CVE-2024-7097
30 May 2025 — An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization. Exploitation of this flaw could allow an attacker to create multiple low-privileged user accounts, gaining unauthorized access to the system. Additionally, continuous exploitation could lead to system... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3574 • CWE-863: Incorrect Authorization •
CVSS: 4.2EPSS: 0%CPEs: 41EXPL: 0CVE-2024-7096 – Privilege Escalation in Multiple WSO2 Products via SOAP Admin Service Due to Business Logic Flaw
https://notcve.org/view.php?id=CVE-2024-7096
30 May 2025 — A privilege escalation vulnerability exists in multiple [Vendor Name] products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: * SOAP admin services are accessible to the attacker. * The deployment includes an internally used attribute that is not part of the default WSO2 product configuration. * At least one custom role exists with non-default permissions. * The attacker has knowledge o... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3573 • CWE-863: Incorrect Authorization •
CVSS: 7.2EPSS: 0%CPEs: 49EXPL: 0CVE-2024-7074 – Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Service Leading to Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-7074
30 Dec 2024 — An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server. By leveraging this vulnerability, an attacker could upload a specially crafted payload, potentially achieving remote code execution (RCE) on the server. Exploitation requires valid admin credentials, limiting its impact to authorized but potentially ma... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3566 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 58EXPL: 0CVE-2024-6914 – Incorrect Authorization in Multiple WSO2 Products via Account Recovery SOAP Admin Service Leading to Account Takeover
https://notcve.org/view.php?id=CVE-2024-6914
30 Dec 2024 — An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account takeover, including accounts with elevated privileges. This vulnerability is exploitable only through the account recovery SOAP admin services exposed via the "/services" context path in affected products. The impact may be reduced if ... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3561 • CWE-863: Incorrect Authorization •