CVE-2024-6914
Incorrect Authorization in Multiple WSO2 Products via Account Recovery SOAP Admin Service Leading to Account Takeover
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account takeover, including accounts with elevated privileges. This vulnerability is exploitable only through the account recovery SOAP admin services exposed via the "/services" context path in affected products. The impact may be reduced if access to these endpoints has been restricted based on the "Security Guidelines for Production Deployment" by disabling exposure to untrusted networks.
This vulnerability allows remote attackers to bypass authentication on affected installations of WSO2 API Manager. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of the user self-registration process. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to bypass authentication on the system.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-07-19 CVE Reserved
- 2024-12-30 CVE Published
- 2025-05-22 CVE Updated
- 2025-06-23 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-863: Incorrect Authorization
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://security.docs.wso2.com/en/latest/security-guidelines/security-guidelines-for-production-deployment | Related |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
WSO2 Search vendor "WSO2" | WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager" | >= 2.2.0.0 < 2.2.0.55 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 2.2.0.0 < 2.2.0.55" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager" | >= 2.5.0.0 < 2.5.0.82 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 2.5.0.0 < 2.5.0.82" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager" | >= 2.6.0.0 < 2.6.0.141 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 2.6.0.0 < 2.6.0.141" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager" | >= 3.0.0.0 < 3.0.0.161 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 3.0.0.0 < 3.0.0.161" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager" | >= 3.1.0.0 < 3.1.0.292 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 3.1.0.0 < 3.1.0.292" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager" | >= 3.2.0.0 < 3.2.0.382 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 3.2.0.0 < 3.2.0.382" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager" | >= 3.2.1.0 < 3.2.1.14 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 3.2.1.0 < 3.2.1.14" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager" | >= 4.0.0.0 < 4.0.0.304 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 4.0.0.0 < 4.0.0.304" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager" | >= 4.1.0.0 < 4.1.0.164 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 4.1.0.0 < 4.1.0.164" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager" | >= 4.2.0.0 < 4.2.0.99 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 4.2.0.0 < 4.2.0.99" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 API Manager Search vendor "WSO2" for product "WSO2 API Manager" | >= 4.3.0.0 < 4.3.0.15 Search vendor "WSO2" for product "WSO2 API Manager" and version " >= 4.3.0.0 < 4.3.0.15" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Governance Registry Search vendor "WSO2" for product "WSO2 Governance Registry" | >= 5.4.0.0 < 5.4.0.14 Search vendor "WSO2" for product "WSO2 Governance Registry" and version " >= 5.4.0.0 < 5.4.0.14" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server" | >= 5.3.0.0 < 5.3.0.31 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.3.0.0 < 5.3.0.31" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server" | >= 5.4.0.0 < 5.4.0.30 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.4.0.0 < 5.4.0.30" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server" | >= 5.4.1.0 < 5.4.1.35 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.4.1.0 < 5.4.1.35" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server" | >= 5.5.0.0 < 5.5.0.48 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.5.0.0 < 5.5.0.48" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server" | >= 5.6.0.0 < 5.6.0.56 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.6.0.0 < 5.6.0.56" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server" | >= 5.7.0.0 < 5.7.0.122 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.7.0.0 < 5.7.0.122" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server" | >= 5.8.0.0 < 5.8.0.104 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.8.0.0 < 5.8.0.104" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server" | >= 5.9.0.0 < 5.9.0.155 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.9.0.0 < 5.9.0.155" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server" | >= 5.10.0.0 < 5.10.0.317 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.10.0.0 < 5.10.0.317" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server" | >= 5.11.0.0 < 5.11.0.363 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 5.11.0.0 < 5.11.0.363" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server" | >= 6.0.0.0 < 6.0.0.207 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 6.0.0.0 < 6.0.0.207" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server" | >= 6.1.0.0 < 6.1.0.184 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 6.1.0.0 < 6.1.0.184" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server Search vendor "WSO2" for product "WSO2 Identity Server" | >= 7.0.0.0 < 7.0.0.56 Search vendor "WSO2" for product "WSO2 Identity Server" and version " >= 7.0.0.0 < 7.0.0.56" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server As Key Manager Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" | >= 5.3.0.0 < 5.3.0.36 Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" and version " >= 5.3.0.0 < 5.3.0.36" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server As Key Manager Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" | >= 5.5.0.0 < 5.5.0.49 Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" and version " >= 5.5.0.0 < 5.5.0.49" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server As Key Manager Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" | >= 5.6.0.0 < 5.6.0.70 Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" and version " >= 5.6.0.0 < 5.6.0.70" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server As Key Manager Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" | >= 5.7.0.0 < 5.7.0.121 Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" and version " >= 5.7.0.0 < 5.7.0.121" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server As Key Manager Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" | >= 5.9.0.0 < 5.9.0.162 Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" and version " >= 5.9.0.0 < 5.9.0.162" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Identity Server As Key Manager Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" | >= 5.10.0.0 < 5.10.0.311 Search vendor "WSO2" for product "WSO2 Identity Server As Key Manager" and version " >= 5.10.0.0 < 5.10.0.311" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 IoT Search vendor "WSO2" for product "WSO2 IoT" | >= 3.3.0.0 < 3.3.0.59 Search vendor "WSO2" for product "WSO2 IoT" and version " >= 3.3.0.0 < 3.3.0.59" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 IoT Search vendor "WSO2" for product "WSO2 IoT" | >= 3.3.1.0 < 3.3.1.61 Search vendor "WSO2" for product "WSO2 IoT" and version " >= 3.3.1.0 < 3.3.1.61" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Open Banking AM Search vendor "WSO2" for product "WSO2 Open Banking AM" | >= 1.3.0.0 < 1.3.0.130 Search vendor "WSO2" for product "WSO2 Open Banking AM" and version " >= 1.3.0.0 < 1.3.0.130" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Open Banking AM Search vendor "WSO2" for product "WSO2 Open Banking AM" | >= 1.4.0.0 < 1.4.0.133 Search vendor "WSO2" for product "WSO2 Open Banking AM" and version " >= 1.4.0.0 < 1.4.0.133" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Open Banking AM Search vendor "WSO2" for product "WSO2 Open Banking AM" | >= 1.5.0.0 < 1.5.0.135 Search vendor "WSO2" for product "WSO2 Open Banking AM" and version " >= 1.5.0.0 < 1.5.0.135" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Open Banking AM Search vendor "WSO2" for product "WSO2 Open Banking AM" | >= 2.0.0.0 < 2.0.0.341 Search vendor "WSO2" for product "WSO2 Open Banking AM" and version " >= 2.0.0.0 < 2.0.0.341" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Open Banking KM Search vendor "WSO2" for product "WSO2 Open Banking KM" | >= 1.3.0.0 < 1.3.0.113 Search vendor "WSO2" for product "WSO2 Open Banking KM" and version " >= 1.3.0.0 < 1.3.0.113" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Open Banking KM Search vendor "WSO2" for product "WSO2 Open Banking KM" | >= 1.4.0.0 < 1.4.0.129 Search vendor "WSO2" for product "WSO2 Open Banking KM" and version " >= 1.4.0.0 < 1.4.0.129" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Open Banking KM Search vendor "WSO2" for product "WSO2 Open Banking KM" | >= 1.5.0.0 < 1.5.0.119 Search vendor "WSO2" for product "WSO2 Open Banking KM" and version " >= 1.5.0.0 < 1.5.0.119" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Open Banking IAM Search vendor "WSO2" for product "WSO2 Open Banking IAM" | >= 2.0.0.0 < 2.0.0.362 Search vendor "WSO2" for product "WSO2 Open Banking IAM" and version " >= 2.0.0.0 < 2.0.0.362" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Carbon Identity Management Search vendor "WSO2" for product "WSO2 Carbon Identity Management" | >= 5.7.5.0 < 5.7.5.9 Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.7.5.0 < 5.7.5.9" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Carbon Identity Management Search vendor "WSO2" for product "WSO2 Carbon Identity Management" | >= 5.10.86.0 < 5.10.86.4 Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.10.86.0 < 5.10.86.4" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Carbon Identity Management Search vendor "WSO2" for product "WSO2 Carbon Identity Management" | >= 5.10.112.0 < 5.10.112.14 Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.10.112.0 < 5.10.112.14" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Carbon Identity Management Search vendor "WSO2" for product "WSO2 Carbon Identity Management" | >= 5.11.148.0 < 5.11.148.13 Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.11.148.0 < 5.11.148.13" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Carbon Identity Management Search vendor "WSO2" for product "WSO2 Carbon Identity Management" | >= 5.11.256.0 < 5.11.256.15 Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.11.256.0 < 5.11.256.15" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Carbon Identity Management Search vendor "WSO2" for product "WSO2 Carbon Identity Management" | >= 5.12.153.0 < 5.12.153.58 Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.12.153.0 < 5.12.153.58" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Carbon Identity Management Search vendor "WSO2" for product "WSO2 Carbon Identity Management" | >= 5.12.387.0 < 5.12.387.41 Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.12.387.0 < 5.12.387.41" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Carbon Identity Management Search vendor "WSO2" for product "WSO2 Carbon Identity Management" | >= 5.14.97.0 < 5.14.97.75 Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.14.97.0 < 5.14.97.75" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Carbon Identity Management Search vendor "WSO2" for product "WSO2 Carbon Identity Management" | >= 5.17.5.0 < 5.17.5.282 Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.17.5.0 < 5.17.5.282" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Carbon Identity Management Search vendor "WSO2" for product "WSO2 Carbon Identity Management" | >= 5.17.118.0 < 5.17.118.4 Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.17.118.0 < 5.17.118.4" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Carbon Identity Management Search vendor "WSO2" for product "WSO2 Carbon Identity Management" | >= 5.18.187.0 < 5.18.187.265 Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.18.187.0 < 5.18.187.265" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Carbon Identity Management Search vendor "WSO2" for product "WSO2 Carbon Identity Management" | >= 5.18.248.0 < 5.18.248.14 Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.18.248.0 < 5.18.248.14" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Carbon Identity Management Search vendor "WSO2" for product "WSO2 Carbon Identity Management" | >= 5.23.8.0 < 5.23.8.184 Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.23.8.0 < 5.23.8.184" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Carbon Identity Management Search vendor "WSO2" for product "WSO2 Carbon Identity Management" | >= 5.24.8.0 < 5.24.8.6 Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.24.8.0 < 5.24.8.6" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Carbon Identity Management Search vendor "WSO2" for product "WSO2 Carbon Identity Management" | >= 5.25.92.0 < 5.25.92.92 Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.25.92.0 < 5.25.92.92" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Carbon Identity Management Search vendor "WSO2" for product "WSO2 Carbon Identity Management" | >= 5.25.705.0 < 5.25.705.6 Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 5.25.705.0 < 5.25.705.6" | en |
Affected
| ||||||
WSO2 Search vendor "WSO2" | WSO2 Carbon Identity Management Search vendor "WSO2" for product "WSO2 Carbon Identity Management" | >= 7.0.78.0 < 7.0.78.32 Search vendor "WSO2" for product "WSO2 Carbon Identity Management" and version " >= 7.0.78.0 < 7.0.78.32" | en |
Affected
|