CVE-2024-3509

Stored Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products via Rich Text Editor

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient input validation in the Rich Text Editor within the registry section.
To exploit this vulnerability, a malicious actor must have a valid user account with administrative access to the Management Console. If successful, the actor could inject persistent JavaScript payloads, enabling the theft of user data or execution of unauthorized actions on behalf of other users. While this issue enables persistent client-side script execution, session-related cookies remain protected with the httpOnly flag, preventing session hijacking.

Existe una vulnerabilidad de cross site scripting (XSS) almacenado en la consola de administración de varios productos WSO2 debido a una validación de entrada insuficiente en el editor de texto enriquecido de la sección de registro. Para explotar esta vulnerabilidad, un agente malicioso debe tener una cuenta de usuario válida con acceso administrativo a la consola de administración. De tener éxito, el agente podría inyectar payloads persistentes de JavaScript, lo que permite el robo de datos de usuario o la ejecución de acciones no autorizadas en nombre de otros usuarios. Si bien este problema permite la ejecución persistente de scripts del lado del cliente, las cookies de sesión permanecen protegidas con el indicador httpOnly, lo que evita el secuestro de sesión.

A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient input validation in the Rich Text Editor within the registry section. To exploit this vulnerability, a malicious actor must have a valid user account with administrative access to the Management Console. If successful, the actor could inject persistent JavaScript payloads, enabling the theft of user data or execution of unauthorized actions on behalf of other users. While this issue enables persistent client-side script execution, session-related cookies remain protected with the httpOnly flag, preventing session hijacking.

*Credits: N/A

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Adjacent

Attack Complexity

Low

Authentication

Multiple

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-09 CVE Reserved
2025-06-02 CVE Published
2025-06-02 CVE Updated
2025-06-23 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-2701	2025-06-02

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
WSO2 Search vendor "WSO2"		WSO2 Enterprise Integrator Search vendor "WSO2" for product "WSO2 Enterprise Integrator"				>= 6.6.0.0 < 6.6.0.202 Search vendor "WSO2" for product "WSO2 Enterprise Integrator" and version " >= 6.6.0.0 < 6.6.0.202"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager"				>= 3.1.0.0 < 3.1.0.275 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 3.1.0.0 < 3.1.0.275"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager"				>= 3.2.0.0 < 3.2.0.392 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 3.2.0.0 < 3.2.0.392"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager"				>= 3.2.1.0 < 3.2.1.19 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 3.2.1.0 < 3.2.1.19"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager"				>= 4.0.0.0 < 4.0.0.308 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 4.0.0.0 < 4.0.0.308"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager"				>= 4.1.0.0 < 4.1.0.171 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 4.1.0.0 < 4.1.0.171"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager"				>= 4.2.0.0 < 4.2.0.107 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 4.2.0.0 < 4.2.0.107"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager"				>= 4.3.0.0 < 4.3.0.21 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 4.3.0.0 < 4.3.0.21"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Open Banking AM Search vendor "WSO2" for product "WSO2 Open Banking AM"				>= 2.0.0.0 < 2.0.0.325 Search vendor "WSO2" for product "WSO2 Open Banking AM" and version " >= 2.0.0.0 < 2.0.0.325"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Open Banking IAM Search vendor "WSO2" for product "WSO2 Open Banking IAM"				>= 2.0.0.0 < 2.0.0.345 Search vendor "WSO2" for product "WSO2 Open Banking IAM" and version " >= 2.0.0.0 < 2.0.0.345"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Identity Server As Key Manager Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager"				>= 5.10.0.0 < 5.10.0.292 Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" and version " >= 5.10.0.0 < 5.10.0.292"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server"				>= 5.10.0.0 < 5.10.0.296 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.10.0.0 < 5.10.0.296"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server"				>= 5.11.0.0 < 5.11.0.333 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.11.0.0 < 5.11.0.333"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server"				>= 6.0.0.0 < 6.0.0.181 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 6.0.0.0 < 6.0.0.181"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server"				>= 6.1.0.0 < 6.1.0.142 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 6.1.0.0 < 6.1.0.142"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server"				>= 7.0.0.0 < 7.0.0.9 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 7.0.0.0 < 7.0.0.9"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Carbon Registry Resources UI Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI"				>= 4.7.24.0 < 4.7.24.6 Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI" and version " >= 4.7.24.0 < 4.7.24.6"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Carbon Registry Resources UI Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI"				>= 4.7.32.0 < 4.7.32.10 Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI" and version " >= 4.7.32.0 < 4.7.32.10"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Carbon Registry Resources UI Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI"				>= 4.7.33.0 < 4.7.33.8 Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI" and version " >= 4.7.33.0 < 4.7.33.8"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Carbon Registry Resources UI Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI"				>= 4.7.35.0 < 4.7.35.8 Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI" and version " >= 4.7.35.0 < 4.7.35.8"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Carbon Registry Resources UI Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI"				>= 4.7.39.0 < 4.7.39.6 Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI" and version " >= 4.7.39.0 < 4.7.39.6"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Carbon Registry Resources UI Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI"				>= 4.7.51.0 < 4.7.51.2 Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI" and version " >= 4.7.51.0 < 4.7.51.2"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Carbon Registry Resources UI Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI"				>= 4.8.3.0 < 4.8.3.7 Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI" and version " >= 4.8.3.0 < 4.8.3.7"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Carbon Registry Resources UI Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI"				>= 4.8.9.0 < 4.8.9.3 Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI" and version " >= 4.8.9.0 < 4.8.9.3"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Carbon Registry Resources UI Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI"				>= 4.8.12.0 < 4.8.12.2 Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI" and version " >= 4.8.12.0 < 4.8.12.2"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Carbon Registry Resources UI Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI"				>= 4.8.13.0 < 4.8.13.4 Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI" and version " >= 4.8.13.0 < 4.8.13.4"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Carbon Registry Resources UI Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI"				>= 4.8.24.0 < 4.8.24.1 Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI" and version " >= 4.8.24.0 < 4.8.24.1"		en		Affected
WSO2 Search vendor "WSO2"		WSO2 Carbon Registry Resources UI Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI"				>= 4.8.32.0 < 4.8.32.2 Search vendor "WSO2" for product "WSO2 Carbon Registry Resources UI" and version " >= 4.8.32.0 < 4.8.32.2"		en		Affected