CVSS: 4.8EPSS: 0%CPEs: 35EXPL: 0CVE-2023-6911
https://notcve.org/view.php?id=CVE-2023-6911
Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console. Se han identificado varios productos WSO2 como vulnerables debido a una codificación de salida incorrecta; un atacante puede llevar a cabo un ataque de Cross-Site Scripting (XSS) Almacenado inyectando un payload malicioso en la función de registro de Management Console. • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1225 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 14EXPL: 0CVE-2023-6836
https://notcve.org/view.php?id=CVE-2023-6836
Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information. Se han identificado varios productos WSO2 como vulnerables debido a que un ataque de entidad externa XML (XXE) abusa de una característica ampliamente disponible pero rara vez utilizada de los analizadores XML para acceder a información confidencial. • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6835
https://notcve.org/view.php?id=CVE-2023-6835
Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated. Se han identificado varios productos WSO2 como vulnerables debido a la falta de validación de entrada del lado del servidor en la función Foro; la clasificación API podría manipularse. • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1357 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-31664
https://notcve.org/view.php?id=CVE-2023-31664
A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter. • https://github.com/adilkhan7/CVE-2023-31664 https://github.com/wso2/api-manager/issues?q=is%3Aissue+is%3Aclosed+label%3AComponent%2FAPIM+closed%3A2022-04-05..2023-03-11 https://github.com/wso2/product-apim/releases/tag/v4.2.0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 4%CPEs: 31EXPL: 3CVE-2022-29548 – WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-29548
A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0. Se presenta un problema de tipo XSS reflejado en la Consola de Administración de varios productos WSO2. Esto afecta a API Manager versiones 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 y 4.0.0; API Manager Analytics versiones 2.2.0, 2.5.0 y 2.6.0; API Microgateway versión 2.2.0; Data Analytics Server versión 3.2.0; Enterprise Integrator versiones 6.2.0, 6.3.0, 6.4. 0, 6.5.0 y 6.6.0; IS as Key Manager versiones 5.5.0, 5.6.0, 5.7.0, 5.9.0 y 5.10.0; Identity Server versiones 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0 y 5.11.0; Identity Server Analytics versiones 5.5.0 y 5.6.0; y WSO2 Micro Integrator versión 1.0.0 WSO2 Management Console suffers from a cross site scripting vulnerability. Many different product versions are affected. • https://www.exploit-db.com/exploits/50970 https://github.com/cxosmo/CVE-2022-29548 http://packetstormsecurity.com/files/167587/WSO2-Management-Console-Cross-Site-Scripting.html https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1603 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •