CVSS: 4.8EPSS: 0%CPEs: 35EXPL: 0CVE-2023-6911
https://notcve.org/view.php?id=CVE-2023-6911
18 Dec 2023 — Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console. Se han identificado varios productos WSO2 como vulnerables debido a una codificación de salida incorrecta; un atacante puede llevar a cabo un ataque de Cross-Site Scripting (XSS) Almacenado inyectando un payload malicioso en la función de registro de Management... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1225 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6839
https://notcve.org/view.php?id=CVE-2023-6839
15 Dec 2023 — Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response. Debido a un manejo inadecuado de errores, un recurso de API REST podría exponer un error del lado del servidor que contenga un nombre de paquete interno específico de WSO2 en la respuesta HTTP. • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1334 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6838
https://notcve.org/view.php?id=CVE-2023-6838
15 Dec 2023 — Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests. Vulnerabilidad XSS reflejada se puede explotar alterando un parámetro de solicitud en el endpoint de autenticación. Esto se puede realizar tanto en solicitudes autenticadas como no autenticadas. • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1233 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 26EXPL: 0CVE-2023-6837
https://notcve.org/view.php?id=CVE-2023-6837
15 Dec 2023 — Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met: * An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option. * A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled. ... • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573 •
CVSS: 6.4EPSS: 26%CPEs: 1EXPL: 1CVE-2023-31664
https://notcve.org/view.php?id=CVE-2023-31664
23 May 2023 — A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter. • https://github.com/adilkhan7/CVE-2023-31664 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 1%CPEs: 13EXPL: 0CVE-2021-42646 – WSO2 Management Console XML Injection
https://notcve.org/view.php?id=CVE-2021-42646
11 May 2022 — XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests. Una vulnerabilidad de tipo XML External Entity (XXE) en la función de creación de proveedores de se... • http://packetstormsecurity.com/files/167465/WSO2-Management-Console-XML-Injection.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.1EPSS: 72%CPEs: 31EXPL: 4CVE-2022-29548 – WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-29548
21 Apr 2022 — A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1... • https://packetstorm.news/files/id/167587 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 94%CPEs: 11EXPL: 35CVE-2022-29464 – WSO2 Multiple Products Unrestrictive Upload of File Vulnerability
https://notcve.org/view.php?id=CVE-2022-29464
18 Apr 2022 — Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, W... • https://packetstorm.news/files/id/166921 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 1%CPEs: 16EXPL: 0CVE-2021-36760
https://notcve.org/view.php?id=CVE-2021-36760
07 Dec 2021 — In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.) En el archivo accountrecoveryendpoint/recoverpassword.do en WSO2 Identity Server versión 5.7.0, es posible llevar a cabo un ... • https://docs.wso2.com/display/Security/2021+Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 76%CPEs: 17EXPL: 4CVE-2020-17453
https://notcve.org/view.php?id=CVE-2020-17453
05 Apr 2021 — WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter. WSO2 Management Console versiones hasta 5.10, permite un ataque de tipo XSS por medio del parámetro msgId en el archivo carbon/admin/login.jsp • https://github.com/karthi-the-hacker/CVE-2020-17453 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •