Search criteria
42 vulnerabilities found for open_banking_am by wso2
FKIE_CVE-2025-10853
Vulnerability from fkie_nvd - Published: 2025-11-05 20:15 - Updated: 2025-11-13 15:31
Severity ?
5.2 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.
Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_control_plane | 4.5.0 | |
| wso2 | api_manager | 3.1.0 | |
| wso2 | api_manager | 3.2.0 | |
| wso2 | api_manager | 3.2.1 | |
| wso2 | api_manager | 4.0.0 | |
| wso2 | api_manager | 4.1.0 | |
| wso2 | api_manager | 4.2.0 | |
| wso2 | api_manager | 4.3.0 | |
| wso2 | api_manager | 4.4.0 | |
| wso2 | api_manager | 4.5.0 | |
| wso2 | enterprise_integrator | 6.6.0 | |
| wso2 | identity_server | 5.10.0 | |
| wso2 | identity_server | 5.11.0 | |
| wso2 | identity_server | 6.0.0 | |
| wso2 | identity_server | 6.1.0 | |
| wso2 | identity_server | 7.0.0 | |
| wso2 | identity_server | 7.1.0 | |
| wso2 | identity_server_as_key_manager | 5.10.0 | |
| wso2 | open_banking_am | 2.0.0 | |
| wso2 | open_banking_iam | 2.0.0 | |
| wso2 | traffic_manager | 4.5.0 | |
| wso2 | universal_gateway | 4.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "DEEA7DB5-BBF7-44A4-9FB6-0D235A44C680",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B58251E8-606B-47C8-8E50-9F9FC8C179BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "51465410-6B7C-40FD-A1AB-A14F650A6AC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*",
"matchCriteriaId": "851470CC-22AB-43E4-9CC6-5E22D49B3572",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*",
"matchCriteriaId": "9EBAB99E-6F0F-4CE9-A954-E8878826304C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*",
"matchCriteriaId": "0B3E6207-B2CF-487C-9CB8-906248B665C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "D47B760D-5418-4FB0-88F0-3F78BAFF63E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4A07C73-3E6B-4CF9-BEB9-39C6081C0332",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2153AECE-020A-4C01-B2A6-F9F5D98E7EBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:6.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "32CE7893-AD1A-49E5-BD1A-5E9C2DEB8764",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:6.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "EA76533A-5BED-4BDC-B348-EB3D3FDFB110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:7.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C1EFBD0F-9664-4EF3-9908-C72B1318F68F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:7.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "A5358E6E-8C01-408D-8692-B1A326DC630F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6BB34405-A2F1-461A-B51B-E103BB3680A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "94347800-04D2-48C4-ACF0-078A5ACBB063",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7C241A3-8EA0-41E4-ABF3-21B9D8E7A5BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C7413107-D7B2-49AE-AC46-52E7BFCD6ED8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61636553-C25E-44DF-93D7-EB3E1056D1DC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.\n\nSuccessful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking."
}
],
"id": "CVE-2025-10853",
"lastModified": "2025-11-13T15:31:45.670",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 2.7,
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-05T20:15:32.297",
"references": [
{
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4486/"
}
],
"sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-10907
Vulnerability from fkie_nvd - Published: 2025-11-05 18:15 - Updated: 2025-12-04 21:07
Severity ?
8.4 (High) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment.
Successful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_control_plane | 4.5.0 | |
| wso2 | api_manager | 3.1.0 | |
| wso2 | api_manager | 3.2.0 | |
| wso2 | api_manager | 3.2.1 | |
| wso2 | api_manager | 4.0.0 | |
| wso2 | api_manager | 4.1.0 | |
| wso2 | api_manager | 4.2.0 | |
| wso2 | api_manager | 4.3.0 | |
| wso2 | api_manager | 4.4.0 | |
| wso2 | api_manager | 4.5.0 | |
| wso2 | enterprise_integrator | 6.6.0 | |
| wso2 | identity_server | 5.10.0 | |
| wso2 | identity_server | 5.11.0 | |
| wso2 | identity_server | 6.0.0 | |
| wso2 | identity_server | 6.1.0 | |
| wso2 | identity_server | 7.0.0 | |
| wso2 | identity_server | 7.1.0 | |
| wso2 | identity_server_as_key_manager | 5.10.0 | |
| wso2 | open_banking_am | 2.0.0 | |
| wso2 | open_banking_iam | 2.0.0 | |
| wso2 | traffic_manager | 4.5.0 | |
| wso2 | universal_gateway | 4.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "DEEA7DB5-BBF7-44A4-9FB6-0D235A44C680",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B58251E8-606B-47C8-8E50-9F9FC8C179BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "51465410-6B7C-40FD-A1AB-A14F650A6AC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*",
"matchCriteriaId": "851470CC-22AB-43E4-9CC6-5E22D49B3572",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*",
"matchCriteriaId": "9EBAB99E-6F0F-4CE9-A954-E8878826304C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*",
"matchCriteriaId": "0B3E6207-B2CF-487C-9CB8-906248B665C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "D47B760D-5418-4FB0-88F0-3F78BAFF63E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4A07C73-3E6B-4CF9-BEB9-39C6081C0332",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2153AECE-020A-4C01-B2A6-F9F5D98E7EBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:6.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "32CE7893-AD1A-49E5-BD1A-5E9C2DEB8764",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:6.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "EA76533A-5BED-4BDC-B348-EB3D3FDFB110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:7.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C1EFBD0F-9664-4EF3-9908-C72B1318F68F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:7.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "A5358E6E-8C01-408D-8692-B1A326DC630F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6BB34405-A2F1-461A-B51B-E103BB3680A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "94347800-04D2-48C4-ACF0-078A5ACBB063",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7C241A3-8EA0-41E4-ABF3-21B9D8E7A5BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C7413107-D7B2-49AE-AC46-52E7BFCD6ED8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61636553-C25E-44DF-93D7-EB3E1056D1DC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment.\n\nSuccessful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services."
}
],
"id": "CVE-2025-10907",
"lastModified": "2025-12-04T21:07:22.130",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 6.0,
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-05T18:15:33.347",
"references": [
{
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4603/"
}
],
"sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-10713
Vulnerability from fkie_nvd - Published: 2025-11-05 18:15 - Updated: 2025-12-04 21:07
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Summary
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.
A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_control_plane | 4.5.0 | |
| wso2 | api_manager | 3.1.0 | |
| wso2 | api_manager | 3.2.0 | |
| wso2 | api_manager | 3.2.1 | |
| wso2 | api_manager | 4.0.0 | |
| wso2 | api_manager | 4.1.0 | |
| wso2 | api_manager | 4.2.0 | |
| wso2 | api_manager | 4.3.0 | |
| wso2 | api_manager | 4.4.0 | |
| wso2 | api_manager | 4.5.0 | |
| wso2 | enterprise_integrator | 6.6.0 | |
| wso2 | identity_server | 5.10.0 | |
| wso2 | identity_server | 5.11.0 | |
| wso2 | identity_server | 7.1.0 | |
| wso2 | open_banking_am | 2.0.0 | |
| wso2 | open_banking_iam | 2.0.0 | |
| wso2 | traffic_manager | 4.5.0 | |
| wso2 | universal_gateway | 4.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "DEEA7DB5-BBF7-44A4-9FB6-0D235A44C680",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B58251E8-606B-47C8-8E50-9F9FC8C179BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "51465410-6B7C-40FD-A1AB-A14F650A6AC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*",
"matchCriteriaId": "851470CC-22AB-43E4-9CC6-5E22D49B3572",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*",
"matchCriteriaId": "9EBAB99E-6F0F-4CE9-A954-E8878826304C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*",
"matchCriteriaId": "0B3E6207-B2CF-487C-9CB8-906248B665C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "D47B760D-5418-4FB0-88F0-3F78BAFF63E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4A07C73-3E6B-4CF9-BEB9-39C6081C0332",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2153AECE-020A-4C01-B2A6-F9F5D98E7EBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:7.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "A5358E6E-8C01-408D-8692-B1A326DC630F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "94347800-04D2-48C4-ACF0-078A5ACBB063",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7C241A3-8EA0-41E4-ABF3-21B9D8E7A5BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C7413107-D7B2-49AE-AC46-52E7BFCD6ED8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61636553-C25E-44DF-93D7-EB3E1056D1DC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.\n\nA successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server\u0027s filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable."
}
],
"id": "CVE-2025-10713",
"lastModified": "2025-12-04T21:07:04.400",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.2,
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-05T18:15:32.247",
"references": [
{
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4505/"
}
],
"sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-5605
Vulnerability from fkie_nvd - Published: 2025-10-24 10:15 - Updated: 2025-11-21 14:20
Severity ?
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.
The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_control_plane | 4.5.0 | |
| wso2 | api_manager | 3.1.0 | |
| wso2 | api_manager | 3.2.0 | |
| wso2 | api_manager | 3.2.1 | |
| wso2 | api_manager | 4.0.0 | |
| wso2 | api_manager | 4.1.0 | |
| wso2 | api_manager | 4.2.0 | |
| wso2 | api_manager | 4.3.0 | |
| wso2 | api_manager | 4.4.0 | |
| wso2 | api_manager | 4.5.0 | |
| wso2 | enterprise_integrator | 6.6.0 | |
| wso2 | identity_server | 5.10.0 | |
| wso2 | identity_server | 5.11.0 | |
| wso2 | identity_server | 6.0.0 | |
| wso2 | identity_server | 6.1.0 | |
| wso2 | identity_server | 7.0.0 | |
| wso2 | identity_server | 7.1.0 | |
| wso2 | identity_server_as_key_manager | 5.10.0 | |
| wso2 | open_banking_am | 2.0.0 | |
| wso2 | open_banking_iam | 2.0.0 | |
| wso2 | traffic_manager | 4.5.0 | |
| wso2 | universal_gateway | 4.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "DEEA7DB5-BBF7-44A4-9FB6-0D235A44C680",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B58251E8-606B-47C8-8E50-9F9FC8C179BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "51465410-6B7C-40FD-A1AB-A14F650A6AC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*",
"matchCriteriaId": "851470CC-22AB-43E4-9CC6-5E22D49B3572",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*",
"matchCriteriaId": "9EBAB99E-6F0F-4CE9-A954-E8878826304C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*",
"matchCriteriaId": "0B3E6207-B2CF-487C-9CB8-906248B665C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "D47B760D-5418-4FB0-88F0-3F78BAFF63E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4A07C73-3E6B-4CF9-BEB9-39C6081C0332",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2153AECE-020A-4C01-B2A6-F9F5D98E7EBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:6.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "32CE7893-AD1A-49E5-BD1A-5E9C2DEB8764",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:6.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "EA76533A-5BED-4BDC-B348-EB3D3FDFB110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:7.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C1EFBD0F-9664-4EF3-9908-C72B1318F68F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:7.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "A5358E6E-8C01-408D-8692-B1A326DC630F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6BB34405-A2F1-461A-B51B-E103BB3680A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "94347800-04D2-48C4-ACF0-078A5ACBB063",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7C241A3-8EA0-41E4-ABF3-21B9D8E7A5BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C7413107-D7B2-49AE-AC46-52E7BFCD6ED8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61636553-C25E-44DF-93D7-EB3E1056D1DC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.\n\nThe known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details."
}
],
"id": "CVE-2025-5605",
"lastModified": "2025-11-21T14:20:43.277",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-10-24T10:15:39.160",
"references": [
{
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/"
}
],
"sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-290"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-5350
Vulnerability from fkie_nvd - Published: 2025-10-24 10:15 - Updated: 2025-11-21 14:33
Severity ?
5.9 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user's browser context.
By tricking an administrator into accessing a crafted link, an attacker could force the server to fetch malicious content and reflect it into the admin’s browser, leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. While session cookies are protected with the HttpOnly flag, the XSS still poses a significant security risk.
Furthermore, SSRF can be used by a privileged user to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable from the affected product.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_control_plane | 4.5.0 | |
| wso2 | api_manager | 3.1.0 | |
| wso2 | api_manager | 3.2.0 | |
| wso2 | api_manager | 3.2.1 | |
| wso2 | api_manager | 4.0.0 | |
| wso2 | api_manager | 4.1.0 | |
| wso2 | api_manager | 4.2.0 | |
| wso2 | api_manager | 4.3.0 | |
| wso2 | api_manager | 4.4.0 | |
| wso2 | api_manager | 4.5.0 | |
| wso2 | enterprise_integrator | 6.6.0 | |
| wso2 | identity_server | 5.10.0 | |
| wso2 | identity_server | 5.11.0 | |
| wso2 | identity_server | 6.0.0 | |
| wso2 | identity_server | 6.1.0 | |
| wso2 | identity_server | 7.0.0 | |
| wso2 | identity_server | 7.1.0 | |
| wso2 | identity_server_as_key_manager | 5.10.0 | |
| wso2 | open_banking_am | 2.0.0 | |
| wso2 | open_banking_iam | 2.0.0 | |
| wso2 | traffic_manager | 4.5.0 | |
| wso2 | universal_gateway | 4.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "DEEA7DB5-BBF7-44A4-9FB6-0D235A44C680",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B58251E8-606B-47C8-8E50-9F9FC8C179BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "51465410-6B7C-40FD-A1AB-A14F650A6AC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*",
"matchCriteriaId": "851470CC-22AB-43E4-9CC6-5E22D49B3572",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*",
"matchCriteriaId": "9EBAB99E-6F0F-4CE9-A954-E8878826304C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*",
"matchCriteriaId": "0B3E6207-B2CF-487C-9CB8-906248B665C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "D47B760D-5418-4FB0-88F0-3F78BAFF63E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4A07C73-3E6B-4CF9-BEB9-39C6081C0332",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2153AECE-020A-4C01-B2A6-F9F5D98E7EBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:6.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "32CE7893-AD1A-49E5-BD1A-5E9C2DEB8764",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:6.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "EA76533A-5BED-4BDC-B348-EB3D3FDFB110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:7.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C1EFBD0F-9664-4EF3-9908-C72B1318F68F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:7.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "A5358E6E-8C01-408D-8692-B1A326DC630F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6BB34405-A2F1-461A-B51B-E103BB3680A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "94347800-04D2-48C4-ACF0-078A5ACBB063",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7C241A3-8EA0-41E4-ABF3-21B9D8E7A5BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C7413107-D7B2-49AE-AC46-52E7BFCD6ED8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61636553-C25E-44DF-93D7-EB3E1056D1DC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user\u0027s browser context.\n\nBy tricking an administrator into accessing a crafted link, an attacker could force the server to fetch malicious content and reflect it into the admin\u2019s browser, leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. While session cookies are protected with the HttpOnly flag, the XSS still poses a significant security risk.\n\nFurthermore, SSRF can be used by a privileged user to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable from the affected product."
}
],
"id": "CVE-2025-5350",
"lastModified": "2025-11-21T14:33:52.920",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 3.7,
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-10-24T10:15:38.910",
"references": [
{
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4124/"
}
],
"sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-9804
Vulnerability from fkie_nvd - Published: 2025-10-16 13:15 - Updated: 2025-11-21 21:40
Severity ?
9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.
This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "DEEA7DB5-BBF7-44A4-9FB6-0D235A44C680",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C6D7E912-B0C4-4AD2-90CF-6355BA9DEEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "245D4EB1-F69D-4FAF-94DB-F4B3D3C20539",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6819491F-C6C3-41C1-B27A-0D0B62224977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0D57C8CF-084D-4142-9AF1-7C9F1261A3BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BC168B6A-B15A-4C3B-A38D-C0B65F24F333",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF14774-8935-4FC9-B5C8-9771B3D6EBFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B58251E8-606B-47C8-8E50-9F9FC8C179BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "51465410-6B7C-40FD-A1AB-A14F650A6AC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*",
"matchCriteriaId": "851470CC-22AB-43E4-9CC6-5E22D49B3572",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*",
"matchCriteriaId": "9EBAB99E-6F0F-4CE9-A954-E8878826304C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*",
"matchCriteriaId": "0B3E6207-B2CF-487C-9CB8-906248B665C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "D47B760D-5418-4FB0-88F0-3F78BAFF63E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2318B757-4BE3-4A45-9337-12281210964E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2D5DF76F-1578-4C10-AB38-A01979302B3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ADEAF56C-4583-40A6-826F-01AC86191AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "04A2A50A-872E-4CC7-BBB7-3E0956176AAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:data_analytics_server:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "941D83A5-1978-49AE-890D-E31980E2D6AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:data_analytics_server:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CCDDFAB-C8FC-41C4-9872-667C442F119B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "66292C25-B0B9-4FCE-9382-57B8F6BB814A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "709DC7EA-18A6-4B83-84CB-F2499BEB5D2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_mobility_manager:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A9D6FCEF-7685-42DD-B322-AD87B5F37574",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_service_bus:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "236C44E3-FAB5-41F2-9884-D17944EBB468",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2689AF3E-01AA-4B79-BA55-6BB3D81E16CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0375C318-ECD2-4657-A0D7-4A0708266FBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B9E7D773-A7CE-4AB8-828B-C2E7DC2799AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CEA63B98-D4B4-4FCD-A869-FE64BC21A1B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8DA0050E-D5DD-45E5-9F61-DC1BB060EFF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "26542F95-73F3-4906-838E-A66F5DC9DFA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60781FE4-38A3-4FEA-9D8B-CADE4B535974",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2B169832-A746-49A6-8E92-06624AA9B13A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "981D701D-E381-484A-9614-CD0EF0331071",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2153AECE-020A-4C01-B2A6-F9F5D98E7EBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:6.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "32CE7893-AD1A-49E5-BD1A-5E9C2DEB8764",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:6.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "EA76533A-5BED-4BDC-B348-EB3D3FDFB110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:7.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C1EFBD0F-9664-4EF3-9908-C72B1318F68F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:7.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "A5358E6E-8C01-408D-8692-B1A326DC630F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A1116722-BC4A-4127-9BF5-DB62760BD026",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D1AB6D32-5BD3-47F0-BDA8-3AEC1C24543F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "42BFE7A0-A168-4C1E-8725-41DD500C837E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_analytics:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5508EC5E-BEEA-49A7-BA2E-AEF40ECCB5C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "104DBA04-538E-4CC5-9B6C-CFEDB40375AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4F0F121-700C-4D30-BAFC-960DCC56F08B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E5761F7-C287-4EC4-A899-C54FB4E80A35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3B184BFC-8E1A-4971-B6D2-C594742AB8CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EA51AC1B-0BF6-44F6-B034-CAD4F623DD76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6BB34405-A2F1-461A-B51B-E103BB3680A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_am:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8CFB56F4-91D1-4FBF-842A-04BB117CAF85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_am:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "035BF3B3-1AB9-43BC-BB37-68843818EDEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "94347800-04D2-48C4-ACF0-078A5ACBB063",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7C241A3-8EA0-41E4-ABF3-21B9D8E7A5BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_km:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E53783F4-60C7-4A92-8951-F8FD51170670",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_km:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "535EFD44-F81C-43B2-B595-81429468637F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C7413107-D7B2-49AE-AC46-52E7BFCD6ED8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61636553-C25E-44DF-93D7-EB3E1056D1DC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.\n\nThis vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager\u0027s API Gateway remain unaffected."
}
],
"id": "CVE-2025-9804",
"lastModified": "2025-11-21T21:40:09.890",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-10-16T13:15:42.130",
"references": [
{
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/"
}
],
"sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-10611
Vulnerability from fkie_nvd - Published: 2025-10-16 13:15 - Updated: 2025-11-21 21:38
Severity ?
Summary
Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation.
Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "DEEA7DB5-BBF7-44A4-9FB6-0D235A44C680",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "245D4EB1-F69D-4FAF-94DB-F4B3D3C20539",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6819491F-C6C3-41C1-B27A-0D0B62224977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0D57C8CF-084D-4142-9AF1-7C9F1261A3BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BC168B6A-B15A-4C3B-A38D-C0B65F24F333",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF14774-8935-4FC9-B5C8-9771B3D6EBFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B58251E8-606B-47C8-8E50-9F9FC8C179BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "51465410-6B7C-40FD-A1AB-A14F650A6AC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*",
"matchCriteriaId": "851470CC-22AB-43E4-9CC6-5E22D49B3572",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*",
"matchCriteriaId": "9EBAB99E-6F0F-4CE9-A954-E8878826304C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*",
"matchCriteriaId": "0B3E6207-B2CF-487C-9CB8-906248B665C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "D47B760D-5418-4FB0-88F0-3F78BAFF63E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0375C318-ECD2-4657-A0D7-4A0708266FBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8DA0050E-D5DD-45E5-9F61-DC1BB060EFF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "26542F95-73F3-4906-838E-A66F5DC9DFA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60781FE4-38A3-4FEA-9D8B-CADE4B535974",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2B169832-A746-49A6-8E92-06624AA9B13A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "981D701D-E381-484A-9614-CD0EF0331071",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2153AECE-020A-4C01-B2A6-F9F5D98E7EBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:6.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "32CE7893-AD1A-49E5-BD1A-5E9C2DEB8764",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:6.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "EA76533A-5BED-4BDC-B348-EB3D3FDFB110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:7.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C1EFBD0F-9664-4EF3-9908-C72B1318F68F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:7.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "A5358E6E-8C01-408D-8692-B1A326DC630F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "104DBA04-538E-4CC5-9B6C-CFEDB40375AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4F0F121-700C-4D30-BAFC-960DCC56F08B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2E5761F7-C287-4EC4-A899-C54FB4E80A35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3B184BFC-8E1A-4971-B6D2-C594742AB8CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EA51AC1B-0BF6-44F6-B034-CAD4F623DD76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6BB34405-A2F1-461A-B51B-E103BB3680A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_am:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8CFB56F4-91D1-4FBF-842A-04BB117CAF85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_am:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "035BF3B3-1AB9-43BC-BB37-68843818EDEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "94347800-04D2-48C4-ACF0-078A5ACBB063",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7C241A3-8EA0-41E4-ABF3-21B9D8E7A5BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_km:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E53783F4-60C7-4A92-8951-F8FD51170670",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_km:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "535EFD44-F81C-43B2-B595-81429468637F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C7413107-D7B2-49AE-AC46-52E7BFCD6ED8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61636553-C25E-44DF-93D7-EB3E1056D1DC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation.\n\nSuccessful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations."
}
],
"id": "CVE-2025-10611",
"lastModified": "2025-11-21T21:38:23.433",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
}
]
},
"published": "2025-10-16T13:15:40.640",
"references": [
{
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/"
}
],
"sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-5717
Vulnerability from fkie_nvd - Published: 2025-09-23 16:15 - Updated: 2025-11-21 21:34
Severity ?
6.8 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution plan containing malicious Java code, resulting in arbitrary code execution on the server.
Exploitation of this vulnerability requires a valid user account with administrative privileges, limiting the attack surface to authenticated but potentially malicious users.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_control_plane | 4.5.0 | |
| wso2 | api_manager | 3.0.0 | |
| wso2 | api_manager | 3.1.0 | |
| wso2 | api_manager | 3.2.0 | |
| wso2 | api_manager | 3.2.1 | |
| wso2 | api_manager | 4.0.0 | |
| wso2 | api_manager | 4.1.0 | |
| wso2 | api_manager | 4.2.0 | |
| wso2 | api_manager | 4.3.0 | |
| wso2 | api_manager | 4.4.0 | |
| wso2 | api_manager | 4.5.0 | |
| wso2 | open_banking_am | 2.0.0 | |
| wso2 | traffic_manager | 4.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "DEEA7DB5-BBF7-44A4-9FB6-0D235A44C680",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF14774-8935-4FC9-B5C8-9771B3D6EBFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B58251E8-606B-47C8-8E50-9F9FC8C179BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "51465410-6B7C-40FD-A1AB-A14F650A6AC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*",
"matchCriteriaId": "851470CC-22AB-43E4-9CC6-5E22D49B3572",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*",
"matchCriteriaId": "9EBAB99E-6F0F-4CE9-A954-E8878826304C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*",
"matchCriteriaId": "0B3E6207-B2CF-487C-9CB8-906248B665C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "D47B760D-5418-4FB0-88F0-3F78BAFF63E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "94347800-04D2-48C4-ACF0-078A5ACBB063",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C7413107-D7B2-49AE-AC46-52E7BFCD6ED8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution plan containing malicious Java code, resulting in arbitrary code execution on the server.\n\nExploitation of this vulnerability requires a valid user account with administrative privileges, limiting the attack surface to authenticated but potentially malicious users."
}
],
"id": "CVE-2025-5717",
"lastModified": "2025-11-21T21:34:06.837",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 5.9,
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-09-23T16:15:33.620",
"references": [
{
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4119/"
}
],
"sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-3511
Vulnerability from fkie_nvd - Published: 2025-06-23 09:15 - Updated: 2025-10-06 13:35
Severity ?
Summary
An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization.
Successful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 3.2.0 | |
| wso2 | api_manager | 3.2.1 | |
| wso2 | api_manager | 4.0.0 | |
| wso2 | api_manager | 4.1.0 | |
| wso2 | api_manager | 4.2.0 | |
| wso2 | api_manager | 4.3.0 | |
| wso2 | enterprise_integrator | 6.6.0 | |
| wso2 | identity_server | 5.10.0 | |
| wso2 | identity_server | 5.11.0 | |
| wso2 | identity_server | 6.0.0 | |
| wso2 | identity_server | 6.1.0 | |
| wso2 | identity_server | 7.0.0 | |
| wso2 | identity_server_as_key_manager | 5.10.0 | |
| wso2 | open_banking_am | 2.0.0 | |
| wso2 | open_banking_iam | 2.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B58251E8-606B-47C8-8E50-9F9FC8C179BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "51465410-6B7C-40FD-A1AB-A14F650A6AC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*",
"matchCriteriaId": "851470CC-22AB-43E4-9CC6-5E22D49B3572",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*",
"matchCriteriaId": "9EBAB99E-6F0F-4CE9-A954-E8878826304C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4A07C73-3E6B-4CF9-BEB9-39C6081C0332",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2153AECE-020A-4C01-B2A6-F9F5D98E7EBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7B81C488-69D0-4A5C-AEED-31869C1BF5CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "65CD2558-C60C-4296-8E96-D4D804C598F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B8DF49C6-F2F6-4229-982E-0C0559265203",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6BB34405-A2F1-461A-B51B-E103BB3680A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "94347800-04D2-48C4-ACF0-078A5ACBB063",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7C241A3-8EA0-41E4-ABF3-21B9D8E7A5BE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization.\n\nSuccessful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de autorizaci\u00f3n incorrecta en varios productos WSO2 que permite el acceso no autorizado a archivos versionados almacenados en el registro. Debido a una l\u00f3gica de autorizaci\u00f3n defectuosa, un agente malicioso con acceso a la consola de administraci\u00f3n puede explotar un m\u00e9todo de omisi\u00f3n espec\u00edfico para recuperar archivos versionados sin la debida autorizaci\u00f3n. La explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda conllevar la divulgaci\u00f3n no autorizada de archivos de configuraci\u00f3n o recursos que podr\u00edan estar almacenados como versiones del registro, lo que podr\u00eda facilitar nuevos ataques o el reconocimiento del sistema."
}
],
"id": "CVE-2024-3511",
"lastModified": "2025-10-06T13:35:40.377",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
}
]
},
"published": "2025-06-23T09:15:21.580",
"references": [
{
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-2702/"
}
],
"sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-8008
Vulnerability from fkie_nvd - Published: 2025-06-02 17:15 - Updated: 2025-10-06 13:51
Severity ?
Summary
A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page.
This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wso2 | api_manager | 3.1.0 | |
| wso2 | api_manager | 3.2.0 | |
| wso2 | api_manager | 3.2.1 | |
| wso2 | api_manager | 4.0.0 | |
| wso2 | api_manager | 4.1.0 | |
| wso2 | api_manager | 4.2.0 | |
| wso2 | api_manager | 4.3.0 | |
| wso2 | enterprise_integrator | 6.6.0 | |
| wso2 | identity_server | 5.10.0 | |
| wso2 | identity_server | 5.11.0 | |
| wso2 | identity_server | 6.0.0 | |
| wso2 | identity_server | 6.1.0 | |
| wso2 | identity_server | 7.0.0 | |
| wso2 | identity_server_as_key_manager | 5.10.0 | |
| wso2 | open_banking_am | 2.0.0 | |
| wso2 | open_banking_iam | 2.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B58251E8-606B-47C8-8E50-9F9FC8C179BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "51465410-6B7C-40FD-A1AB-A14F650A6AC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*",
"matchCriteriaId": "851470CC-22AB-43E4-9CC6-5E22D49B3572",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*",
"matchCriteriaId": "9EBAB99E-6F0F-4CE9-A954-E8878826304C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4A07C73-3E6B-4CF9-BEB9-39C6081C0332",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2153AECE-020A-4C01-B2A6-F9F5D98E7EBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7B81C488-69D0-4A5C-AEED-31869C1BF5CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "65CD2558-C60C-4296-8E96-D4D804C598F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B8DF49C6-F2F6-4229-982E-0C0559265203",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6BB34405-A2F1-461A-B51B-E103BB3680A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "94347800-04D2-48C4-ACF0-078A5ACBB063",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D7C241A3-8EA0-41E4-ABF3-21B9D8E7A5BE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page.\n\nThis vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site-scripting (XSS) reflejado en varios productos [Vendor Name] debido a una codificaci\u00f3n de salida insuficiente en los mensajes de error generados por la solicitud de validaci\u00f3n de conexi\u00f3n del almac\u00e9n de usuarios JDBC. Un actor malicioso puede inyectar un payload especialmente manipulada en la solicitud, lo que provoca que el navegador ejecute JavaScript arbitrario en el contexto de la p\u00e1gina vulnerable. Esta vulnerabilidad puede permitir la manipulaci\u00f3n de la interfaz de usuario, la redirecci\u00f3n a sitios web maliciosos o la exfiltraci\u00f3n de datos del navegador. Sin embargo, dado que todas las cookies sensibles relacionadas con la sesi\u00f3n est\u00e1n protegidas con el indicador httpOnly, el secuestro de sesi\u00f3n no es posible."
}
],
"id": "CVE-2024-8008",
"lastModified": "2025-10-06T13:51:36.377",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 2.7,
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
}
]
},
"published": "2025-06-02T17:15:36.407",
"references": [
{
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"tags": [
"Vendor Advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/"
}
],
"sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"type": "Secondary"
}
]
}
CVE-2025-10853 (GCVE-0-2025-10853)
Vulnerability from cvelistv5 – Published: 2025-11-05 19:21 – Updated: 2025-11-05 19:58
VLAI?
Summary
A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.
Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.
Severity ?
5.2 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 Open Banking IAM |
Unknown:
0 , < 2.0.0
(custom)
Affected: 2.0.0 , < 2.0.0.413 (custom) |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
crnković
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10853",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T19:51:26.535789Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T19:58:21.875Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.413",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.344",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.445",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.65",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.365",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.227",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.167",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.79",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.43",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.26",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.373",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.417",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.247",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.246",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.122",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.1.0.29",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.393",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.363",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.6.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.6.0.223",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.27",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.25",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.25",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui",
"product": "org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.7.32.14",
"status": "affected",
"version": "4.7.32",
"versionType": "custom"
},
{
"lessThan": "4.7.35.11",
"status": "affected",
"version": "4.7.35",
"versionType": "custom"
},
{
"lessThan": "4.7.39.9",
"status": "affected",
"version": "4.7.39",
"versionType": "custom"
},
{
"lessThan": "4.7.51.4",
"status": "affected",
"version": "4.7.51",
"versionType": "custom"
},
{
"lessThan": "4.8.3.9",
"status": "affected",
"version": "4.8.3",
"versionType": "custom"
},
{
"lessThan": "4.8.13.6",
"status": "affected",
"version": "4.8.13",
"versionType": "custom"
},
{
"lessThan": "4.8.32.3",
"status": "affected",
"version": "4.8.32",
"versionType": "custom"
},
{
"lessThan": "4.8.36.1",
"status": "affected",
"version": "4.8.36",
"versionType": "custom"
},
{
"lessThan": "4.8.43.1",
"status": "affected",
"version": "4.8.43",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.8.47",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui",
"product": "org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.7.24.7",
"status": "affected",
"version": "4.7.24",
"versionType": "custom"
},
{
"lessThan": "4.7.32.14",
"status": "affected",
"version": "4.7.32",
"versionType": "custom"
},
{
"lessThan": "4.7.33.13",
"status": "affected",
"version": "4.7.33",
"versionType": "custom"
},
{
"lessThan": "4.7.35.11",
"status": "affected",
"version": "4.7.35",
"versionType": "custom"
},
{
"lessThan": "4.7.39.9",
"status": "affected",
"version": "4.7.39",
"versionType": "custom"
},
{
"lessThan": "4.7.51.4",
"status": "affected",
"version": "4.7.51",
"versionType": "custom"
},
{
"lessThan": "4.8.3.9",
"status": "affected",
"version": "4.8.3",
"versionType": "custom"
},
{
"lessThan": "4.8.9.5",
"status": "affected",
"version": "4.8.9",
"versionType": "custom"
},
{
"lessThan": "4.8.12.5",
"status": "affected",
"version": "4.8.12",
"versionType": "custom"
},
{
"lessThan": "4.8.13.6",
"status": "affected",
"version": "4.8.13",
"versionType": "custom"
},
{
"lessThan": "4.8.24.3",
"status": "affected",
"version": "4.8.24",
"versionType": "custom"
},
{
"lessThan": "4.8.32.3",
"status": "affected",
"version": "4.8.32",
"versionType": "custom"
},
{
"lessThan": "4.8.36.1",
"status": "affected",
"version": "4.8.36",
"versionType": "custom"
},
{
"lessThan": "4.8.43.1",
"status": "affected",
"version": "4.8.43",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.8.47",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui",
"product": "org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.8.19.5",
"status": "affected",
"version": "4.8.19",
"versionType": "custom"
},
{
"lessThan": "4.8.21.9",
"status": "affected",
"version": "4.8.21",
"versionType": "custom"
},
{
"lessThan": "4.8.28.3",
"status": "affected",
"version": "4.8.28",
"versionType": "custom"
},
{
"lessThan": "4.8.30.3",
"status": "affected",
"version": "4.8.30",
"versionType": "custom"
},
{
"lessThan": "4.8.32.1",
"status": "affected",
"version": "4.8.32",
"versionType": "custom"
},
{
"lessThan": "4.8.33.3",
"status": "affected",
"version": "4.8.33",
"versionType": "custom"
},
{
"lessThan": "4.8.34.3",
"status": "affected",
"version": "4.8.34",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "4.8.35",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui",
"product": "org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.4.2.165",
"status": "affected",
"version": "6.4.2",
"versionType": "custom"
},
{
"lessThan": "6.4.111.155",
"status": "affected",
"version": "6.4.111",
"versionType": "custom"
},
{
"lessThan": "6.4.176.28",
"status": "affected",
"version": "6.4.176",
"versionType": "custom"
},
{
"lessThan": "6.4.180.12",
"status": "affected",
"version": "6.4.180",
"versionType": "custom"
},
{
"lessThan": "6.9.6.26",
"status": "affected",
"version": "6.9.6",
"versionType": "custom"
},
{
"lessThan": "6.13.16.19",
"status": "affected",
"version": "6.13.16",
"versionType": "custom"
},
{
"lessThan": "6.13.19.12",
"status": "affected",
"version": "6.13.19",
"versionType": "custom"
},
{
"lessThan": "6.13.27.5",
"status": "affected",
"version": "6.13.27",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.38",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0.349",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.413",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.1.0.344",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.0.445",
"versionStartIncluding": "3.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.1.65",
"versionStartIncluding": "3.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.0.365",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.1.0.227",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.0.167",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.3.0.79",
"versionStartIncluding": "4.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.0.43",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.26",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.373",
"versionStartIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.0.417",
"versionStartIncluding": "5.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.0.247",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.0.246",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.0.122",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1.0.29",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_am:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.393",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.363",
"versionStartIncluding": "5.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_enterprise_integrator:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.0.223",
"versionStartIncluding": "6.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.27",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.25",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.25",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.32.14",
"versionStartIncluding": "4.7.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.35.11",
"versionStartIncluding": "4.7.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.39.9",
"versionStartIncluding": "4.7.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.51.4",
"versionStartIncluding": "4.7.51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.3.9",
"versionStartIncluding": "4.8.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.13.6",
"versionStartIncluding": "4.8.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.32.3",
"versionStartIncluding": "4.8.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.36.1",
"versionStartIncluding": "4.8.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.43.1",
"versionStartIncluding": "4.8.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.8.47",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.24.7",
"versionStartIncluding": "4.7.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.32.14",
"versionStartIncluding": "4.7.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.33.13",
"versionStartIncluding": "4.7.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.35.11",
"versionStartIncluding": "4.7.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.39.9",
"versionStartIncluding": "4.7.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.51.4",
"versionStartIncluding": "4.7.51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.3.9",
"versionStartIncluding": "4.8.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.9.5",
"versionStartIncluding": "4.8.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.12.5",
"versionStartIncluding": "4.8.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.13.6",
"versionStartIncluding": "4.8.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.24.3",
"versionStartIncluding": "4.8.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.32.3",
"versionStartIncluding": "4.8.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.36.1",
"versionStartIncluding": "4.8.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.43.1",
"versionStartIncluding": "4.8.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.8.47",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.19.5",
"versionStartIncluding": "4.8.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.21.9",
"versionStartIncluding": "4.8.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.28.3",
"versionStartIncluding": "4.8.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.30.3",
"versionStartIncluding": "4.8.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.32.1",
"versionStartIncluding": "4.8.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.33.3",
"versionStartIncluding": "4.8.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.34.3",
"versionStartIncluding": "4.8.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.8.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.2.165",
"versionStartIncluding": "6.4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.111.155",
"versionStartIncluding": "6.4.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.176.28",
"versionStartIncluding": "6.4.176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.180.12",
"versionStartIncluding": "6.4.180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.6.26",
"versionStartIncluding": "6.9.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.16.19",
"versionStartIncluding": "6.13.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.19.12",
"versionStartIncluding": "6.13.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.27.5",
"versionStartIncluding": "6.13.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndIncluding": "6.13.*",
"versionStartIncluding": "6.13.38",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "7.0.349",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "crnkovi\u0107"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.\u003cbr\u003e\u003cbr\u003eSuccessful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking."
}
],
"value": "A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.\n\nSuccessful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T19:21:32.971Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4486/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4486/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4486/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4486/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4486",
"discovery": "EXTERNAL"
},
"title": "Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-10853",
"datePublished": "2025-11-05T19:21:32.971Z",
"dateReserved": "2025-09-22T10:42:09.872Z",
"dateUpdated": "2025-11-05T19:58:21.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10907 (GCVE-0-2025-10907)
Vulnerability from cvelistv5 – Published: 2025-11-05 18:03 – Updated: 2025-11-05 18:49
VLAI?
Summary
An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment.
Successful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.
Severity ?
8.4 (High)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 API Manager |
Unknown:
0 , < 3.1.0
(custom)
Affected: 3.1.0 , < 3.1.0.345 (custom) Affected: 3.2.0 , < 3.2.0.448 (custom) Affected: 3.2.1 , < 3.2.1.66 (custom) Affected: 4.0.0 , < 4.0.0.367 (custom) Affected: 4.1.0 , < 4.1.0.230 (custom) Affected: 4.2.0 , < 4.2.0.169 (custom) Affected: 4.3.0 , < 4.3.0.81 (custom) Affected: 4.4.0 , < 4.4.0.45 (custom) Affected: 4.5.0 , < 4.5.0.28 (custom) |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
crnković
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10907",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T18:49:26.232581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T18:49:44.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.345",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.448",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.66",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.367",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.230",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.169",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.81",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.45",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.28",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.414",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.394",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.29",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.27",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.27",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Micro Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.0.0.145",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.147",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.141",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.375",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.419",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.248",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.248",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.124",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.1.0.31",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.365",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.6.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.6.0.224",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.jaggeryjs:org.jaggeryjs.jaggery.app.mgt",
"product": "org.jaggeryjs:org.jaggeryjs.jaggery.app.mgt",
"vendor": "WSO2",
"versions": [
{
"lessThan": "0.14.13.8",
"status": "affected",
"version": "0.14.13",
"versionType": "custom"
},
{
"lessThan": "0.14.16.1",
"status": "affected",
"version": "0.14.16",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core",
"product": "org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.2.14.7",
"status": "affected",
"version": "2.2.14",
"versionType": "custom"
},
{
"lessThan": "2.2.17.2",
"status": "affected",
"version": "2.2.17",
"versionType": "custom"
},
{
"lessThan": "2.3.1.3",
"status": "affected",
"version": "2.3.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "2.3.19",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.mediation:org.wso2.carbon.mediation.library",
"product": "org.wso2.carbon.mediation:org.wso2.carbon.mediation.library",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.7.30.47",
"status": "affected",
"version": "4.7.30",
"versionType": "custom"
},
{
"lessThan": "4.7.61.62",
"status": "affected",
"version": "4.7.61",
"versionType": "custom"
},
{
"lessThan": "4.7.99.304",
"status": "affected",
"version": "4.7.99",
"versionType": "custom"
},
{
"lessThan": "4.7.131.22",
"status": "affected",
"version": "4.7.131",
"versionType": "custom"
},
{
"lessThan": "4.7.175.30",
"status": "affected",
"version": "4.7.175",
"versionType": "custom"
},
{
"lessThan": "4.7.188.12",
"status": "affected",
"version": "4.7.188",
"versionType": "custom"
},
{
"lessThan": "4.7.204.13",
"status": "affected",
"version": "4.7.204",
"versionType": "custom"
},
{
"lessThan": "4.7.221.7",
"status": "affected",
"version": "4.7.221",
"versionType": "custom"
},
{
"lessThan": "4.7.245.7",
"status": "affected",
"version": "4.7.245",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.7.262",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.deployment:org.wso2.carbon.module.mgt",
"product": "org.wso2.carbon.deployment:org.wso2.carbon.module.mgt",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.9.15.2",
"status": "affected",
"version": "4.9.15",
"versionType": "custom"
},
{
"lessThan": "4.10.1.1",
"status": "affected",
"version": "4.10.1",
"versionType": "custom"
},
{
"lessThan": "4.10.9.2",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.11.1.3",
"status": "affected",
"version": "4.11.1",
"versionType": "custom"
},
{
"lessThan": "4.11.3.3",
"status": "affected",
"version": "4.11.3",
"versionType": "custom"
},
{
"lessThan": "4.11.7.5",
"status": "affected",
"version": "4.11.7",
"versionType": "custom"
},
{
"lessThan": "4.11.14.2",
"status": "affected",
"version": "4.11.14",
"versionType": "custom"
},
{
"lessThan": "4.11.17.3",
"status": "affected",
"version": "4.11.17",
"versionType": "custom"
},
{
"lessThan": "4.11.18.1",
"status": "affected",
"version": "4.11.18",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.11.24",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt",
"product": "org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.10.1.1",
"status": "affected",
"version": "4.10.1",
"versionType": "custom"
},
{
"lessThan": "4.10.9.2",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.11.1.3",
"status": "affected",
"version": "4.11.1",
"versionType": "custom"
},
{
"lessThan": "4.11.3.3",
"status": "affected",
"version": "4.11.3",
"versionType": "custom"
},
{
"lessThan": "4.11.7.5",
"status": "affected",
"version": "4.11.7",
"versionType": "custom"
},
{
"lessThan": "4.11.14.2",
"status": "affected",
"version": "4.11.14",
"versionType": "custom"
},
{
"lessThan": "4.11.17.3",
"status": "affected",
"version": "4.11.17",
"versionType": "custom"
},
{
"lessThan": "4.11.18.1",
"status": "affected",
"version": "4.11.18",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.11.24",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.apache.ws.commons.axiom.wso2:axiom",
"product": "org.apache.ws.commons.axiom.wso2:axiom",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.2.11.wso2v17_5",
"status": "affected",
"version": "1.2.11",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "1.2.11-wso2v21",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon:org.wso2.carbon.base",
"product": "org.wso2.carbon:org.wso2.carbon.base",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.3.46",
"status": "affected",
"version": "4.5.3",
"versionType": "custom"
},
{
"lessThan": "4.6.0.2005",
"status": "affected",
"version": "4.6.0",
"versionType": "custom"
},
{
"lessThan": "4.6.1.153",
"status": "affected",
"version": "4.6.1",
"versionType": "custom"
},
{
"lessThan": "4.6.2.668",
"status": "affected",
"version": "4.6.2",
"versionType": "custom"
},
{
"lessThan": "4.6.3.37",
"status": "affected",
"version": "4.6.3",
"versionType": "custom"
},
{
"lessThan": "4.6.4.15",
"status": "affected",
"version": "4.6.4",
"versionType": "custom"
},
{
"lessThan": "4.7.1.72",
"status": "affected",
"version": "4.7.1",
"versionType": "custom"
},
{
"lessThan": "4.8.1.40",
"status": "affected",
"version": "4.8.1",
"versionType": "custom"
},
{
"lessThan": "4.9.0.103",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "4.9.26.26",
"status": "affected",
"version": "4.9.26",
"versionType": "custom"
},
{
"lessThan": "4.9.27.11",
"status": "affected",
"version": "4.9.27",
"versionType": "custom"
},
{
"lessThan": "4.9.28.12",
"status": "affected",
"version": "4.9.28",
"versionType": "custom"
},
{
"lessThan": "4.10.9.71",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.10.42.14",
"status": "affected",
"version": "4.10.42",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.30",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.10.95",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon:org.wso2.carbon.utils",
"product": "org.wso2.carbon:org.wso2.carbon.utils",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.3.46",
"status": "affected",
"version": "4.5.3",
"versionType": "custom"
},
{
"lessThan": "4.6.0.2005",
"status": "affected",
"version": "4.6.0",
"versionType": "custom"
},
{
"lessThan": "4.6.1.153",
"status": "affected",
"version": "4.6.1",
"versionType": "custom"
},
{
"lessThan": "4.6.2.668",
"status": "affected",
"version": "4.6.2",
"versionType": "custom"
},
{
"lessThan": "4.6.3.37",
"status": "affected",
"version": "4.6.3",
"versionType": "custom"
},
{
"lessThan": "4.6.4.15",
"status": "affected",
"version": "4.6.4",
"versionType": "custom"
},
{
"lessThan": "4.7.1.72",
"status": "affected",
"version": "4.7.1",
"versionType": "custom"
},
{
"lessThan": "4.8.1.40",
"status": "affected",
"version": "4.8.1",
"versionType": "custom"
},
{
"lessThan": "4.9.0.103",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "4.9.26.26",
"status": "affected",
"version": "4.9.26",
"versionType": "custom"
},
{
"lessThan": "4.9.27.11",
"status": "affected",
"version": "4.9.27",
"versionType": "custom"
},
{
"lessThan": "4.9.28.12",
"status": "affected",
"version": "4.9.28",
"versionType": "custom"
},
{
"lessThan": "4.10.9.71",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.10.42.14",
"status": "affected",
"version": "4.10.42",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.30",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.10.95",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.1.0.345",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.0.448",
"versionStartIncluding": "3.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.1.66",
"versionStartIncluding": "3.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.0.367",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.1.0.230",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.0.169",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.3.0.81",
"versionStartIncluding": "4.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.0.45",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.28",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.414",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_am:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.394",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.29",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.27",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.27",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.0.145",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.1.0.147",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.0.141",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.375",
"versionStartIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.0.419",
"versionStartIncluding": "5.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.0.248",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.0.248",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.0.124",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1.0.31",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.365",
"versionStartIncluding": "5.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_enterprise_integrator:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.0.224",
"versionStartIncluding": "6.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.jaggeryjs_org.jaggeryjs.jaggery.app.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.14.13.8",
"versionStartIncluding": "0.14.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.jaggeryjs_org.jaggeryjs.jaggery.app.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.14.16.1",
"versionStartIncluding": "0.14.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.event-processing_org.wso2.carbon.event.simulator.core:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.2.14.7",
"versionStartIncluding": "2.2.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.event-processing_org.wso2.carbon.event.simulator.core:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.2.17.2",
"versionStartIncluding": "2.2.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.event-processing_org.wso2.carbon.event.simulator.core:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.3.1.3",
"versionStartIncluding": "2.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.event-processing_org.wso2.carbon.event.simulator.core:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "2.3.19",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.30.47",
"versionStartIncluding": "4.7.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.61.62",
"versionStartIncluding": "4.7.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.99.304",
"versionStartIncluding": "4.7.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.131.22",
"versionStartIncluding": "4.7.131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.175.30",
"versionStartIncluding": "4.7.175",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.188.12",
"versionStartIncluding": "4.7.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.204.13",
"versionStartIncluding": "4.7.204",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.221.7",
"versionStartIncluding": "4.7.221",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.245.7",
"versionStartIncluding": "4.7.245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.7.262",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.15.2",
"versionStartIncluding": "4.9.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.1.1",
"versionStartIncluding": "4.10.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.9.2",
"versionStartIncluding": "4.10.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.1.3",
"versionStartIncluding": "4.11.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.3.3",
"versionStartIncluding": "4.11.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.7.5",
"versionStartIncluding": "4.11.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.14.2",
"versionStartIncluding": "4.11.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.17.3",
"versionStartIncluding": "4.11.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.18.1",
"versionStartIncluding": "4.11.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.11.24",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.1.1",
"versionStartIncluding": "4.10.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.9.2",
"versionStartIncluding": "4.10.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.1.3",
"versionStartIncluding": "4.11.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.3.3",
"versionStartIncluding": "4.11.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.7.5",
"versionStartIncluding": "4.11.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.14.2",
"versionStartIncluding": "4.11.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.17.3",
"versionStartIncluding": "4.11.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.18.1",
"versionStartIncluding": "4.11.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.11.24",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.apache.ws.commons.axiom.wso2_axiom:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.2.11.wso2v17_5",
"versionStartIncluding": "1.2.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.apache.ws.commons.axiom.wso2_axiom:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "1.2.11-wso2v21",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.3.46",
"versionStartIncluding": "4.5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.0.2005",
"versionStartIncluding": "4.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.1.153",
"versionStartIncluding": "4.6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.2.668",
"versionStartIncluding": "4.6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.3.37",
"versionStartIncluding": "4.6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.4.15",
"versionStartIncluding": "4.6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.1.72",
"versionStartIncluding": "4.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.1.40",
"versionStartIncluding": "4.8.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.0.103",
"versionStartIncluding": "4.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.26.26",
"versionStartIncluding": "4.9.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.27.11",
"versionStartIncluding": "4.9.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.28.12",
"versionStartIncluding": "4.9.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.9.71",
"versionStartIncluding": "4.10.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.42.14",
"versionStartIncluding": "4.10.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndIncluding": "4.9.*",
"versionStartIncluding": "4.9.30",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.10.95",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.3.46",
"versionStartIncluding": "4.5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.0.2005",
"versionStartIncluding": "4.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.1.153",
"versionStartIncluding": "4.6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.2.668",
"versionStartIncluding": "4.6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.3.37",
"versionStartIncluding": "4.6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.4.15",
"versionStartIncluding": "4.6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.1.72",
"versionStartIncluding": "4.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.1.40",
"versionStartIncluding": "4.8.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.0.103",
"versionStartIncluding": "4.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.26.26",
"versionStartIncluding": "4.9.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.27.11",
"versionStartIncluding": "4.9.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.28.12",
"versionStartIncluding": "4.9.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.9.71",
"versionStartIncluding": "4.10.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.42.14",
"versionStartIncluding": "4.10.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndIncluding": "4.9.*",
"versionStartIncluding": "4.9.30",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.10.95",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "crnkovi\u0107"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment.\u003cbr\u003e\u003cbr\u003eSuccessful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.\u003cbr\u003e"
}
],
"value": "An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment.\n\nSuccessful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T18:03:49.831Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4603/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4603/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4603/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4603/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4603",
"discovery": "EXTERNAL"
},
"title": "Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-10907",
"datePublished": "2025-11-05T18:03:49.831Z",
"dateReserved": "2025-09-24T09:25:09.461Z",
"dateUpdated": "2025-11-05T18:49:44.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10713 (GCVE-0-2025-10713)
Vulnerability from cvelistv5 – Published: 2025-11-05 17:18 – Updated: 2025-11-05 18:15
VLAI?
Summary
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.
A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.
Severity ?
6.5 (Medium)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 Enterprise Integrator |
Unknown:
0 , < 6.6.0
(custom)
Affected: 6.6.0 , < 6.6.0.223 (custom) |
|||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||
Credits
crnković
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T18:15:46.961845Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T18:15:56.913Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.6.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.6.0.223",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.27",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.25",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.25",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.344",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.445",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.65",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.365",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.227",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.167",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.79",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.43",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.26",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.373",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.417",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "7.1.0.29",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.413",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.393",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.363",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.mediation:org.wso2.carbon.localentry",
"product": "org.wso2.carbon.mediation:org.wso2.carbon.localentry",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.7.30.46",
"status": "affected",
"version": "4.7.30",
"versionType": "custom"
},
{
"lessThan": "4.7.61.61",
"status": "affected",
"version": "4.7.61",
"versionType": "custom"
},
{
"lessThan": "4.7.99.303",
"status": "affected",
"version": "4.7.99",
"versionType": "custom"
},
{
"lessThan": "4.7.131.21",
"status": "affected",
"version": "4.7.131",
"versionType": "custom"
},
{
"lessThan": "4.7.175.29",
"status": "affected",
"version": "4.7.175",
"versionType": "custom"
},
{
"lessThan": "4.7.188.11",
"status": "affected",
"version": "4.7.188",
"versionType": "custom"
},
{
"lessThan": "4.7.204.12",
"status": "affected",
"version": "4.7.204",
"versionType": "custom"
},
{
"lessThan": "4.7.221.6",
"status": "affected",
"version": "4.7.221",
"versionType": "custom"
},
{
"lessThan": "4.7.245.6",
"status": "affected",
"version": "4.7.245",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.7.259",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_enterprise_integrator:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.0.223",
"versionStartIncluding": "6.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.27",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.25",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.25",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.1.0.344",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.0.445",
"versionStartIncluding": "3.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.1.65",
"versionStartIncluding": "3.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.0.365",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.1.0.227",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.0.167",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.3.0.79",
"versionStartIncluding": "4.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.0.43",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.26",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.373",
"versionStartIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.0.417",
"versionStartIncluding": "5.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1.0.29",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.413",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_am:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.393",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.363",
"versionStartIncluding": "5.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.30.46",
"versionStartIncluding": "4.7.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.61.61",
"versionStartIncluding": "4.7.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.99.303",
"versionStartIncluding": "4.7.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.131.21",
"versionStartIncluding": "4.7.131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.175.29",
"versionStartIncluding": "4.7.175",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.188.11",
"versionStartIncluding": "4.7.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.204.12",
"versionStartIncluding": "4.7.204",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.221.6",
"versionStartIncluding": "4.7.221",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.245.6",
"versionStartIncluding": "4.7.245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.7.259",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "crnkovi\u0107"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.\u003cbr\u003e\u003cbr\u003eA successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server\u0027s filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.\u003cbr\u003e"
}
],
"value": "An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.\n\nA successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server\u0027s filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T17:18:24.719Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4505/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4505/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4505/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4505/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4505",
"discovery": "EXTERNAL"
},
"title": "XML External Entity (XXE) Vulnerability in Multiple WSO2 Products Due to Improper XML Parser Configuration",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-10713",
"datePublished": "2025-11-05T17:18:24.719Z",
"dateReserved": "2025-09-19T06:15:37.907Z",
"dateUpdated": "2025-11-05T18:15:56.913Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5605 (GCVE-0-2025-5605)
Vulnerability from cvelistv5 – Published: 2025-10-24 10:09 – Updated: 2025-10-24 11:44
VLAI?
Summary
An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.
The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.
Severity ?
4.3 (Medium)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 Identity Server |
Unknown:
0 , < 5.10.0
(custom)
Affected: 5.10.0 , < 5.10.0.361 (custom) Affected: 5.11.0 , < 5.11.0.414 (custom) Affected: 6.0.0 , < 6.0.0.245 (custom) Affected: 6.1.0 , < 6.1.0.244 (custom) Affected: 7.0.0 , < 7.0.0.119 (custom) Affected: 7.1.0 , < 7.1.0.25 (custom) |
|||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Noël Maccary
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5605",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T11:44:00.454638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T11:44:58.987Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.361",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.414",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.245",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.244",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.119",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.1.0.25",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.6.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.6.0.217",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.10",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.10",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.334",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.430",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.48",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.346",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.210",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.148",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.61",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.24",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.10",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.11",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.354",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.382",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.403",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon:org.wso2.carbon.ui",
"product": "org.wso2.carbon:org.wso2.carbon.ui",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.3.40",
"status": "affected",
"version": "4.5.3",
"versionType": "custom"
},
{
"lessThan": "4.6.0.1224",
"status": "affected",
"version": "4.6.0",
"versionType": "custom"
},
{
"lessThan": "4.6.1.150",
"status": "affected",
"version": "4.6.1",
"versionType": "custom"
},
{
"lessThan": "4.6.2.664",
"status": "affected",
"version": "4.6.2",
"versionType": "custom"
},
{
"lessThan": "4.6.3.32",
"status": "affected",
"version": "4.6.3",
"versionType": "custom"
},
{
"lessThan": "4.6.4.8",
"status": "affected",
"version": "4.6.4",
"versionType": "custom"
},
{
"lessThan": "4.7.1.69",
"status": "affected",
"version": "4.7.1",
"versionType": "custom"
},
{
"lessThan": "4.8.1.33",
"status": "affected",
"version": "4.8.1",
"versionType": "custom"
},
{
"lessThan": "4.9.0.100",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "4.9.26.20",
"status": "affected",
"version": "4.9.26",
"versionType": "custom"
},
{
"lessThan": "4.9.27.4",
"status": "affected",
"version": "4.9.27",
"versionType": "custom"
},
{
"lessThan": "4.9.28.4",
"status": "affected",
"version": "4.9.28",
"versionType": "custom"
},
{
"lessThan": "4.10.9.68",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.10.42.10",
"status": "affected",
"version": "4.10.42",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.29",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.10.90",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.361",
"versionStartIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.0.414",
"versionStartIncluding": "5.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.0.245",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.0.244",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.0.119",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1.0.25",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_enterprise_integrator:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.0.217",
"versionStartIncluding": "6.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.10",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.10",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.1.0.334",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.0.430",
"versionStartIncluding": "3.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.1.48",
"versionStartIncluding": "3.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.0.346",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.1.0.210",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.0.148",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.3.0.61",
"versionStartIncluding": "4.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.0.24",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.10",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.11",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.354",
"versionStartIncluding": "5.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_am:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.382",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.403",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.3.40",
"versionStartIncluding": "4.5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.0.1224",
"versionStartIncluding": "4.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.1.150",
"versionStartIncluding": "4.6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.2.664",
"versionStartIncluding": "4.6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.3.32",
"versionStartIncluding": "4.6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.4.8",
"versionStartIncluding": "4.6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.1.69",
"versionStartIncluding": "4.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.1.33",
"versionStartIncluding": "4.8.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.0.100",
"versionStartIncluding": "4.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.26.20",
"versionStartIncluding": "4.9.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.27.4",
"versionStartIncluding": "4.9.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.28.4",
"versionStartIncluding": "4.9.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.9.68",
"versionStartIncluding": "4.10.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.42.10",
"versionStartIncluding": "4.10.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndIncluding": "4.9.*",
"versionStartIncluding": "4.9.29",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.10.90",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "No\u00ebl Maccary"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.\u003cbr\u003e\u003cbr\u003eThe known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.\u003cbr\u003e"
}
],
"value": "An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.\n\nThe known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T10:17:47.415Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4115",
"discovery": "EXTERNAL"
},
"title": "Authentication Bypass via URI Manipulation in Multiple WSO2 Products\u0027 Management Console Leading to Partial Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-5605",
"datePublished": "2025-10-24T10:09:59.591Z",
"dateReserved": "2025-06-04T10:51:11.459Z",
"dateUpdated": "2025-10-24T11:44:58.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5350 (GCVE-0-2025-5350)
Vulnerability from cvelistv5 – Published: 2025-10-24 10:08 – Updated: 2025-10-24 12:16
VLAI?
Summary
SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user's browser context.
By tricking an administrator into accessing a crafted link, an attacker could force the server to fetch malicious content and reflect it into the admin’s browser, leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. While session cookies are protected with the HttpOnly flag, the XSS still poses a significant security risk.
Furthermore, SSRF can be used by a privileged user to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable from the affected product.
Severity ?
5.9 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 Identity Server |
Unknown:
0 , < 5.10.0
(custom)
Affected: 5.10.0 , < 5.10.0.359 (custom) Affected: 5.11.0 , < 5.11.0.415 (custom) Affected: 6.0.0 , < 6.0.0.246 (custom) Affected: 6.1.0 , < 6.1.0.245 (custom) Affected: 7.0.0 , < 7.0.0.120 (custom) Affected: 7.1.0 , < 7.1.0.27 (custom) |
|||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Noël MACCARY
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5350",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T12:16:39.906160Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T12:16:49.892Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.359",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.415",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.246",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.245",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.120",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.1.0.27",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.6.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.6.0.218",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.332",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.428",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.47",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.369",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.209",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.147",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.60",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.23",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.7",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.7",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.7",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.7",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.380",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.401",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.352",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon:org.wso2.carbon.ui",
"product": "org.wso2.carbon:org.wso2.carbon.ui",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.3.41",
"status": "affected",
"version": "4.5.3",
"versionType": "custom"
},
{
"lessThan": "4.6.0.1087",
"status": "affected",
"version": "4.6.0",
"versionType": "custom"
},
{
"lessThan": "4.6.1.151",
"status": "affected",
"version": "4.6.1",
"versionType": "custom"
},
{
"lessThan": "4.6.2.672",
"status": "affected",
"version": "4.6.2",
"versionType": "custom"
},
{
"lessThan": "4.6.3.30",
"status": "affected",
"version": "4.6.3",
"versionType": "custom"
},
{
"lessThan": "4.6.4.7",
"status": "affected",
"version": "4.6.4",
"versionType": "custom"
},
{
"lessThan": "4.7.1.70",
"status": "affected",
"version": "4.7.1",
"versionType": "custom"
},
{
"lessThan": "4.8.1.32",
"status": "affected",
"version": "4.8.1",
"versionType": "custom"
},
{
"lessThan": "4.9.0.101",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "4.9.26.19",
"status": "affected",
"version": "4.9.26",
"versionType": "custom"
},
{
"lessThan": "4.9.27.3",
"status": "affected",
"version": "4.9.27",
"versionType": "custom"
},
{
"lessThan": "4.9.28.1",
"status": "affected",
"version": "4.9.28",
"versionType": "custom"
},
{
"lessThan": "4.10.9.69",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.10.42.11",
"status": "affected",
"version": "4.10.42",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.29",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.10.93",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "No\u00ebl MACCARY"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user\u0027s browser context.\u003cbr\u003e\u003cbr\u003eBy tricking an administrator into accessing a crafted link, an attacker could force the server to fetch malicious content and reflect it into the admin\u2019s browser, leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. While session cookies are protected with the HttpOnly flag, the XSS still poses a significant security risk.\u003cbr\u003e\u003cbr\u003eFurthermore, SSRF can be used by a privileged user to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable from the affected product.\u003cbr\u003e"
}
],
"value": "SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user\u0027s browser context.\n\nBy tricking an administrator into accessing a crafted link, an attacker could force the server to fetch malicious content and reflect it into the admin\u2019s browser, leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. While session cookies are protected with the HttpOnly flag, the XSS still poses a significant security risk.\n\nFurthermore, SSRF can be used by a privileged user to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable from the affected product."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T10:15:53.793Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4124/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4124/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4124/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4124/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4124/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4124",
"discovery": "EXTERNAL"
},
"title": "SSRF and Reflected XSS Vulnerability in Deprecated Try-It Feature of Multiple WSO2 Products",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-5350",
"datePublished": "2025-10-24T10:08:07.719Z",
"dateReserved": "2025-05-30T06:56:02.711Z",
"dateUpdated": "2025-10-24T12:16:49.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9804 (GCVE-0-2025-9804)
Vulnerability from cvelistv5 – Published: 2025-10-16 12:33 – Updated: 2025-10-17 16:01
VLAI?
Summary
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.
This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
Severity ?
9.6 (Critical)
8.9 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 Identity Server as Key Manager |
Unknown:
0 , < 5.3.0
(custom)
Affected: 5.3.0 , < 5.3.0.41 (custom) Affected: 5.5.0 , < 5.5.0.53 (custom) Affected: 5.6.0 , < 5.6.0.75 (custom) Affected: 5.7.0 , < 5.7.0.125 (custom) Affected: 5.9.0 , < 5.9.0.176 (custom) Affected: 5.10.0 , < 5.10.0.359 (custom) |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
crnković
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9804",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T13:20:20.582589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-17T16:01:25.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.3.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.3.0.41",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
},
{
"lessThan": "5.5.0.53",
"status": "affected",
"version": "5.5.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.75",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
},
{
"lessThan": "5.7.0.125",
"status": "affected",
"version": "5.7.0",
"versionType": "custom"
},
{
"lessThan": "5.9.0.176",
"status": "affected",
"version": "5.9.0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.359",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.2.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.2.0.34",
"status": "affected",
"version": "5.2.0",
"versionType": "custom"
},
{
"lessThan": "5.3.0.36",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
},
{
"lessThan": "5.4.0.34",
"status": "affected",
"version": "5.4.0",
"versionType": "custom"
},
{
"lessThan": "5.4.1.38",
"status": "affected",
"version": "5.4.1",
"versionType": "custom"
},
{
"lessThan": "5.5.0.52",
"status": "affected",
"version": "5.5.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.60",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
},
{
"lessThan": "5.7.0.126",
"status": "affected",
"version": "5.7.0",
"versionType": "custom"
},
{
"lessThan": "5.8.0.110",
"status": "affected",
"version": "5.8.0",
"versionType": "custom"
},
{
"lessThan": "5.9.0.169",
"status": "affected",
"version": "5.9.0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.369",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.413",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.244",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.243",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.118",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.1.0.25",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking KM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.4.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.4.0.133",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
},
{
"lessThan": "1.5.0.123",
"status": "affected",
"version": "1.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.409",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.4.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.4.0.139",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
},
{
"lessThan": "1.5.0.140",
"status": "affected",
"version": "1.5.0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.389",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.31",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThan": "2.1.0.40",
"status": "affected",
"version": "2.1.0",
"versionType": "custom"
},
{
"lessThan": "2.2.0.59",
"status": "affected",
"version": "2.2.0",
"versionType": "custom"
},
{
"lessThan": "2.5.0.85",
"status": "affected",
"version": "2.5.0",
"versionType": "custom"
},
{
"lessThan": "2.6.0.146",
"status": "affected",
"version": "2.6.0",
"versionType": "custom"
},
{
"lessThan": "3.0.0.176",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.340",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.441",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.61",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.361",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.224",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.162",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.75",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.39",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.23",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server Analytics",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.2.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.2.0.19",
"status": "affected",
"version": "5.2.0",
"versionType": "custom"
},
{
"lessThan": "5.3.0.17",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
},
{
"lessThan": "5.5.0.31",
"status": "affected",
"version": "5.5.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.38",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "API Manager Analytics",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.14",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThan": "2.1.0.19",
"status": "affected",
"version": "2.1.0",
"versionType": "custom"
},
{
"lessThan": "2.2.0.30",
"status": "affected",
"version": "2.2.0",
"versionType": "custom"
},
{
"lessThan": "2.5.0.39",
"status": "affected",
"version": "2.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.2.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.2.0.62",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"lessThan": "6.3.0.70",
"status": "affected",
"version": "6.3.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Service Bus Analytics",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.0.0.13",
"status": "affected",
"version": "5.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Data Analytics Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.20",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.33",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Mobility Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.2.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.2.0.28",
"status": "affected",
"version": "2.2.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.22",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.24",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.22",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector",
"product": "org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.10.1",
"status": "affected",
"version": "2.0.10",
"versionType": "custom"
},
{
"lessThan": "2.0.15.1",
"status": "affected",
"version": "2.0.15",
"versionType": "custom"
},
{
"lessThan": "2.0.21.1",
"status": "affected",
"version": "2.0.21",
"versionType": "custom"
},
{
"lessThan": "2.0.22.1",
"status": "affected",
"version": "2.0.22",
"versionType": "custom"
},
{
"lessThan": "2.1.12.1",
"status": "affected",
"version": "2.1.12",
"versionType": "custom"
},
{
"lessThan": "2.1.1972",
"status": "affected",
"version": "2.1",
"versionType": "custom"
},
{
"lessThan": "2.2.24",
"status": "affected",
"version": "2.2",
"versionType": "custom"
},
{
"lessThan": "2.2.25",
"status": "affected",
"version": "2.2",
"versionType": "custom"
},
{
"lessThan": "3.1.0.74",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.3.6.7",
"status": "affected",
"version": "3.3.6",
"versionType": "custom"
},
{
"lessThan": "3.3.26.2",
"status": "affected",
"version": "3.3.26",
"versionType": "custom"
},
{
"lessThan": "3.3.35.1",
"status": "affected",
"version": "3.3.35",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "3.3.41",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util",
"product": "org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.7.206.567",
"status": "affected",
"version": "6.7.206",
"versionType": "custom"
},
{
"lessThan": "6.7.210.63",
"status": "affected",
"version": "6.7.210",
"versionType": "custom"
},
{
"lessThan": "9.0.174.522",
"status": "affected",
"version": "9.0.174",
"versionType": "custom"
},
{
"lessThan": "9.20.74.379",
"status": "affected",
"version": "9.20.74",
"versionType": "custom"
},
{
"lessThan": "9.28.116.360",
"status": "affected",
"version": "9.28.116",
"versionType": "custom"
},
{
"lessThan": "9.29.120.184",
"status": "affected",
"version": "9.29.120",
"versionType": "custom"
},
{
"lessThan": "9.30.67.109",
"status": "affected",
"version": "9.30.67",
"versionType": "custom"
},
{
"lessThan": "9.31.86.71",
"status": "affected",
"version": "9.31.86",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "9.32.133",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon:org.wso2.carbon.base",
"product": "org.wso2.carbon:org.wso2.carbon.base",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.4.7.6",
"status": "affected",
"version": "4.4.7",
"versionType": "custom"
},
{
"lessThan": "4.4.9.11",
"status": "affected",
"version": "4.4.9",
"versionType": "custom"
},
{
"lessThan": "4.4.11.9",
"status": "affected",
"version": "4.4.11",
"versionType": "custom"
},
{
"lessThan": "4.4.26.12",
"status": "affected",
"version": "4.4.26",
"versionType": "custom"
},
{
"lessThan": "4.4.35.44",
"status": "affected",
"version": "4.4.35",
"versionType": "custom"
},
{
"lessThan": "4.5.1.43",
"status": "affected",
"version": "4.5.1",
"versionType": "custom"
},
{
"lessThan": "4.6.0.1990",
"status": "affected",
"version": "4.6.0",
"versionType": "custom"
},
{
"lessThan": "4.6.1.149",
"status": "affected",
"version": "4.6.1",
"versionType": "custom"
},
{
"lessThan": "4.6.2.667",
"status": "affected",
"version": "4.6.2",
"versionType": "custom"
},
{
"lessThan": "4.6.3.36",
"status": "affected",
"version": "4.6.3",
"versionType": "custom"
},
{
"lessThan": "4.6.4.14",
"status": "affected",
"version": "4.6.4",
"versionType": "custom"
},
{
"lessThan": "4.7.1.68",
"status": "affected",
"version": "4.7.1",
"versionType": "custom"
},
{
"lessThan": "4.8.1.39",
"status": "affected",
"version": "4.8.1",
"versionType": "custom"
},
{
"lessThan": "4.9.0.99",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "4.9.26.25",
"status": "affected",
"version": "4.9.26",
"versionType": "custom"
},
{
"lessThan": "4.9.27.10",
"status": "affected",
"version": "4.9.27",
"versionType": "custom"
},
{
"lessThan": "4.9.28.11",
"status": "affected",
"version": "4.9.28",
"versionType": "custom"
},
{
"lessThan": "4.10.9.66",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.10.42.9",
"status": "affected",
"version": "4.10.42",
"versionType": "custom"
},
{
"lessThan": "4.9.29",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"lessThan": "4.10.94",
"status": "affected",
"version": "4.10",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt",
"product": "org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.2.0.4",
"status": "affected",
"version": "5.2.0",
"versionType": "custom"
},
{
"lessThan": "5.2.2.21",
"status": "affected",
"version": "5.2.2",
"versionType": "custom"
},
{
"lessThan": "5.7.5.18",
"status": "affected",
"version": "5.7.5",
"versionType": "custom"
},
{
"lessThan": "5.11.148.19",
"status": "affected",
"version": "5.11.148",
"versionType": "custom"
},
{
"lessThan": "5.11.256.21",
"status": "affected",
"version": "5.11.256",
"versionType": "custom"
},
{
"lessThan": "5.12.153.63",
"status": "affected",
"version": "5.12.153",
"versionType": "custom"
},
{
"lessThan": "5.12.387.46",
"status": "affected",
"version": "5.12.387",
"versionType": "custom"
},
{
"lessThan": "5.14.97.89",
"status": "affected",
"version": "5.14.97",
"versionType": "custom"
},
{
"lessThan": "5.17.5.317",
"status": "affected",
"version": "5.17.5",
"versionType": "custom"
},
{
"lessThan": "5.17.118.17",
"status": "affected",
"version": "5.17.118",
"versionType": "custom"
},
{
"lessThan": "5.18.187.309",
"status": "affected",
"version": "5.18.187",
"versionType": "custom"
},
{
"lessThan": "5.18.248.30",
"status": "affected",
"version": "5.18.248",
"versionType": "custom"
},
{
"lessThan": "5.23.8.207",
"status": "affected",
"version": "5.23.8",
"versionType": "custom"
},
{
"lessThan": "5.24.8.23",
"status": "affected",
"version": "5.24.8",
"versionType": "custom"
},
{
"lessThan": "5.25.92.152",
"status": "affected",
"version": "5.25.92",
"versionType": "custom"
},
{
"lessThan": "5.25.705.19",
"status": "affected",
"version": "5.25.705",
"versionType": "custom"
},
{
"lessThan": "5.25.713.9",
"status": "affected",
"version": "5.25.713",
"versionType": "custom"
},
{
"lessThan": "5.25.724.3",
"status": "affected",
"version": "5.25.724",
"versionType": "custom"
},
{
"lessThan": "7.0.78.133",
"status": "affected",
"version": "7.0.78",
"versionType": "custom"
},
{
"lessThan": "7.8.23.47",
"status": "affected",
"version": "7.8.23",
"versionType": "custom"
},
{
"lessThan": "5.25.734",
"status": "affected",
"version": "5.25",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.8.489",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon:org.wso2.carbon.server.admin",
"product": "org.wso2.carbon:org.wso2.carbon.server.admin",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.4.7.6",
"status": "affected",
"version": "4.4.7",
"versionType": "custom"
},
{
"lessThan": "4.4.9.11",
"status": "affected",
"version": "4.4.9",
"versionType": "custom"
},
{
"lessThan": "4.4.11.9",
"status": "affected",
"version": "4.4.11",
"versionType": "custom"
},
{
"lessThan": "4.4.26.12",
"status": "affected",
"version": "4.4.26",
"versionType": "custom"
},
{
"lessThan": "4.4.32.16",
"status": "affected",
"version": "4.4.32",
"versionType": "custom"
},
{
"lessThan": "4.4.35.44",
"status": "affected",
"version": "4.4.35",
"versionType": "custom"
},
{
"lessThan": "4.5.1.43",
"status": "affected",
"version": "4.5.1",
"versionType": "custom"
},
{
"lessThan": "4.6.0.1990",
"status": "affected",
"version": "4.6.0",
"versionType": "custom"
},
{
"lessThan": "4.6.1.149",
"status": "affected",
"version": "4.6.1",
"versionType": "custom"
},
{
"lessThan": "4.6.2.667",
"status": "affected",
"version": "4.6.2",
"versionType": "custom"
},
{
"lessThan": "4.6.3.36",
"status": "affected",
"version": "4.6.3",
"versionType": "custom"
},
{
"lessThan": "4.6.4.14",
"status": "affected",
"version": "4.6.4",
"versionType": "custom"
},
{
"lessThan": "4.7.1.68",
"status": "affected",
"version": "4.7.1",
"versionType": "custom"
},
{
"lessThan": "4.8.1.39",
"status": "affected",
"version": "4.8.1",
"versionType": "custom"
},
{
"lessThan": "4.9.0.99",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "4.9.26.25",
"status": "affected",
"version": "4.9.26",
"versionType": "custom"
},
{
"lessThan": "4.9.27.10",
"status": "affected",
"version": "4.9.27",
"versionType": "custom"
},
{
"lessThan": "4.9.28.11",
"status": "affected",
"version": "4.9.28",
"versionType": "custom"
},
{
"lessThan": "4.10.9.66",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.10.42.9",
"status": "affected",
"version": "4.10.42",
"versionType": "custom"
},
{
"lessThan": "4.9.29",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"lessThan": "4.10.94",
"status": "affected",
"version": "4.10",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow",
"product": "org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.1.1.1",
"status": "affected",
"version": "5.1.1",
"versionType": "custom"
},
{
"lessThan": "5.1.2.1",
"status": "affected",
"version": "5.1.2",
"versionType": "custom"
},
{
"lessThan": "5.1.5.1",
"status": "affected",
"version": "5.1.5",
"versionType": "custom"
},
{
"lessThan": "5.3.3.1",
"status": "affected",
"version": "5.3.3",
"versionType": "custom"
},
{
"lessThan": "5.4.0.4",
"status": "affected",
"version": "5.4.0",
"versionType": "custom"
},
{
"lessThan": "5.4.1.5",
"status": "affected",
"version": "5.4.1",
"versionType": "custom"
},
{
"lessThan": "5.6.0.1",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.6.21",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "crnkovi\u0107"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.\u003cbr\u003e\u003cbr\u003eThis vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager\u0027s API Gateway remain unaffected.\u003cbr\u003e"
}
],
"value": "An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.\n\nThis vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager\u0027s API Gateway remain unaffected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "For WSO2 API Manager"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "For WSO2 Identity Server"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T12:33:45.426Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4503",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-9804",
"datePublished": "2025-10-16T12:33:45.426Z",
"dateReserved": "2025-09-01T13:11:12.678Z",
"dateUpdated": "2025-10-17T16:01:25.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10611 (GCVE-0-2025-10611)
Vulnerability from cvelistv5 – Published: 2025-10-16 12:09 – Updated: 2025-10-16 13:34
VLAI?
Summary
Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation.
Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.
Severity ?
9.8 (Critical)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 API Manager |
Unknown:
0 , < 2.1.0
(custom)
Affected: 2.1.0 , < 2.1.0.42 (custom) Affected: 2.2.0 , < 2.2.0.61 (custom) Affected: 2.5.0 , < 2.5.0.87 (custom) Affected: 2.6.0 , < 2.6.0.148 (custom) Affected: 3.0.0 , < 3.0.0.178 (custom) Affected: 3.1.0 , < 3.1.0.345 (custom) Affected: 3.2.0 , < 3.2.0.446 (custom) Affected: 3.2.1 , < 3.2.1.66 (custom) Affected: 4.0.0 , < 4.0.0.366 (custom) Affected: 4.1.0 , < 4.1.0.228 (custom) Affected: 4.2.0 , < 4.2.0.169 (custom) Affected: 4.3.0 , < 4.3.0.81 (custom) Affected: 4.4.0 , < 4.4.0.45 (custom) Affected: 4.5.0 , < 4.5.0.28 (custom) |
||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10611",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T13:24:33.931504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T13:34:31.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.1.0.42",
"status": "affected",
"version": "2.1.0",
"versionType": "custom"
},
{
"lessThan": "2.2.0.61",
"status": "affected",
"version": "2.2.0",
"versionType": "custom"
},
{
"lessThan": "2.5.0.87",
"status": "affected",
"version": "2.5.0",
"versionType": "custom"
},
{
"lessThan": "2.6.0.148",
"status": "affected",
"version": "2.6.0",
"versionType": "custom"
},
{
"lessThan": "3.0.0.178",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.345",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.446",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.66",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.366",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.228",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.169",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.81",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.45",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.28",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.29",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.4.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.4.0.141",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
},
{
"lessThan": "1.5.0.142",
"status": "affected",
"version": "1.5.0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.394",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.414",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.3.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.3.0.39",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
},
{
"lessThan": "5.5.0.54",
"status": "affected",
"version": "5.5.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.62",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
},
{
"lessThan": "5.7.0.128",
"status": "affected",
"version": "5.7.0",
"versionType": "custom"
},
{
"lessThan": "5.8.0.112",
"status": "affected",
"version": "5.8.0",
"versionType": "custom"
},
{
"lessThan": "5.9.0.171",
"status": "affected",
"version": "5.9.0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.375",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.419",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.248",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.248",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.124",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.1.0.31",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.3.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.3.0.44",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
},
{
"lessThan": "5.5.0.55",
"status": "affected",
"version": "5.5.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.77",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
},
{
"lessThan": "5.7.0.127",
"status": "affected",
"version": "5.7.0",
"versionType": "custom"
},
{
"lessThan": "5.9.0.178",
"status": "affected",
"version": "5.9.0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.365",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking KM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.4.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.4.0.135",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
},
{
"lessThan": "1.5.0.125",
"status": "affected",
"version": "1.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.27",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.27",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service",
"product": "org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.1.1.7",
"status": "affected",
"version": "1.1.1",
"versionType": "custom"
},
{
"lessThan": "1.1.16.6",
"status": "affected",
"version": "1.1.16",
"versionType": "custom"
},
{
"lessThan": "1.1.18.7",
"status": "affected",
"version": "1.1.18",
"versionType": "custom"
},
{
"lessThan": "1.1.20.9",
"status": "affected",
"version": "1.1.20",
"versionType": "custom"
},
{
"lessThan": "1.1.26.11",
"status": "affected",
"version": "1.1.26",
"versionType": "custom"
},
{
"lessThan": "1.3.6.11",
"status": "affected",
"version": "1.3.6",
"versionType": "custom"
},
{
"lessThan": "1.4.0.21",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
},
{
"lessThan": "1.4.25.27",
"status": "affected",
"version": "1.4.25",
"versionType": "custom"
},
{
"lessThan": "1.4.52.6",
"status": "affected",
"version": "1.4.52",
"versionType": "custom"
},
{
"lessThan": "1.6.1.12",
"status": "affected",
"version": "1.6.1",
"versionType": "custom"
},
{
"lessThan": "1.7.1.7",
"status": "affected",
"version": "1.7.1",
"versionType": "custom"
},
{
"lessThan": "1.8.11.8",
"status": "affected",
"version": "1.8.11",
"versionType": "custom"
},
{
"lessThan": "1.8.41.4",
"status": "affected",
"version": "1.8.41",
"versionType": "custom"
},
{
"lessThan": "1.9.4.9",
"status": "affected",
"version": "1.9.4",
"versionType": "custom"
},
{
"lessThan": "1.9.18.7",
"status": "affected",
"version": "1.9.18",
"versionType": "custom"
},
{
"lessThan": "1.8.48",
"status": "affected",
"version": "1.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "1.9.46",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve",
"product": "org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.1.1.7",
"status": "affected",
"version": "1.1.1",
"versionType": "custom"
},
{
"lessThan": "1.1.16.6",
"status": "affected",
"version": "1.1.16",
"versionType": "custom"
},
{
"lessThan": "1.1.18.7",
"status": "affected",
"version": "1.1.18",
"versionType": "custom"
},
{
"lessThan": "1.1.20.9",
"status": "affected",
"version": "1.1.20",
"versionType": "custom"
},
{
"lessThan": "1.1.26.11",
"status": "affected",
"version": "1.1.26",
"versionType": "custom"
},
{
"lessThan": "1.3.6.11",
"status": "affected",
"version": "1.3.6",
"versionType": "custom"
},
{
"lessThan": "1.4.0.21",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
},
{
"lessThan": "1.4.25.27",
"status": "affected",
"version": "1.4.25",
"versionType": "custom"
},
{
"lessThan": "1.4.52.6",
"status": "affected",
"version": "1.4.52",
"versionType": "custom"
},
{
"lessThan": "1.6.1.12",
"status": "affected",
"version": "1.6.1",
"versionType": "custom"
},
{
"lessThan": "1.7.1.7",
"status": "affected",
"version": "1.7.1",
"versionType": "custom"
},
{
"lessThan": "1.8.11.8",
"status": "affected",
"version": "1.8.11",
"versionType": "custom"
},
{
"lessThan": "1.8.41.4",
"status": "affected",
"version": "1.8.41",
"versionType": "custom"
},
{
"lessThan": "1.9.4.9",
"status": "affected",
"version": "1.9.4",
"versionType": "custom"
},
{
"lessThan": "1.9.18.7",
"status": "affected",
"version": "1.9.18",
"versionType": "custom"
},
{
"lessThan": "1.8.48",
"status": "affected",
"version": "1.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "1.9.46",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation.\u003cbr\u003e\u003cbr\u003eSuccessful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.\u003cbr\u003e"
}
],
"value": "Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation.\n\nSuccessful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T12:09:31.802Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4585",
"discovery": "INTERNAL"
},
"title": "Potential Broken Access Control in Multiple WSO2 Products via System REST APIs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-10611",
"datePublished": "2025-10-16T12:09:31.802Z",
"dateReserved": "2025-09-17T08:56:27.794Z",
"dateUpdated": "2025-10-16T13:34:31.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5717 (GCVE-0-2025-5717)
Vulnerability from cvelistv5 – Published: 2025-09-23 16:05 – Updated: 2025-10-31 15:06
VLAI?
Summary
An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution plan containing malicious Java code, resulting in arbitrary code execution on the server.
Exploitation of this vulnerability requires a valid user account with administrative privileges, limiting the attack surface to authenticated but potentially malicious users.
Severity ?
6.8 (Medium)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 API Manager |
Unknown:
0 , < 3.0.0
(custom)
Affected: 3.0.0 , < 3.0.0.174 (custom) Affected: 3.1.0 , < 3.1.0.330 (custom) Affected: 3.2.0 , < 3.2.0.426 (custom) Affected: 3.2.1 , < 3.2.1.46 (custom) Affected: 4.0.0 , < 4.0.0.344 (custom) Affected: 4.1.0 , < 4.1.0.208 (custom) Affected: 4.2.0 , < 4.2.0.147 (custom) Affected: 4.3.0 , < 4.3.0.59 (custom) Affected: 4.4.0 , < 4.4.0.22 (custom) Affected: 4.5.0 , < 4.5.0.6 (custom) |
||||||||||||||||||||||
|
||||||||||||||||||||||||
Credits
Noël MACCARY
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5717",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T18:31:28.992929Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T18:37:55.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.0.174",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.330",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.426",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.46",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.344",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.208",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.147",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.59",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.22",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.6",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.379",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.6",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.6",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.siddhi:siddhi-extension-eval-scriptApache",
"product": "Siddhi Extension Evaluate Scripts",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.2.6.8",
"status": "affected",
"version": "3.2.6",
"versionType": "custom"
},
{
"lessThan": "3.2.7.6",
"status": "affected",
"version": "3.2.7",
"versionType": "custom"
},
{
"lessThan": "3.2.8.3",
"status": "affected",
"version": "3.2.8",
"versionType": "custom"
},
{
"lessThan": "3.2.10.1",
"status": "affected",
"version": "3.2.10",
"versionType": "custom"
},
{
"lessThan": "3.2.13.2",
"status": "affected",
"version": "3.2.13",
"versionType": "custom"
},
{
"lessThan": "3.2.14.1",
"status": "affected",
"version": "3.2.14",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "3.2.15",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "No\u00ebl MACCARY"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution plan containing malicious Java code, resulting in arbitrary code execution on the server.\u003cbr\u003e\u003cbr\u003eExploitation of this vulnerability requires a valid user account with administrative privileges, limiting the attack surface to authenticated but potentially malicious users.\u003cbr\u003e"
}
],
"value": "An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution plan containing malicious Java code, resulting in arbitrary code execution on the server.\n\nExploitation of this vulnerability requires a valid user account with administrative privileges, limiting the attack surface to authenticated but potentially malicious users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T15:06:22.088Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4119/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4119/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4119/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4119/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4119/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4119",
"discovery": "EXTERNAL"
},
"title": "Authenticated Remote Code Execution in Multiple WSO2 Products via Event Processor Admin Service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-5717",
"datePublished": "2025-09-23T16:05:19.923Z",
"dateReserved": "2025-06-05T06:06:53.039Z",
"dateUpdated": "2025-10-31T15:06:22.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-3511 (GCVE-0-2024-3511)
Vulnerability from cvelistv5 – Published: 2025-06-23 08:47 – Updated: 2025-06-23 12:43
VLAI?
Summary
An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization.
Successful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance.
Severity ?
4.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 Enterprise Integrator |
Unknown:
0 , < 6.6.0
(custom)
Affected: 6.6.0 , < 6.6.0.205 (custom) |
||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
Credits
Viral Maniar - Security Researcher at Preemptive Cyber Security Pty Ltd
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3511",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-23T12:38:22.864048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-23T12:43:45.452Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.6.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.6.0.205",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.273",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.361",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.13",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.306",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.163",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.98",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.17",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.289",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.292",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.333",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.180",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.141",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.8",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.320",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.341",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon:org.wso2.carbon.user.core",
"product": "WSO2 Carbon User Manager Kernel",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.5",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
},
{
"lessThan": "4.5.3.35",
"status": "affected",
"version": "4.5.3",
"versionType": "custom"
},
{
"lessThan": "4.6.0.140",
"status": "affected",
"version": "4.6.0",
"versionType": "custom"
},
{
"lessThan": "4.6.1.107",
"status": "affected",
"version": "4.6.1",
"versionType": "custom"
},
{
"lessThan": "4.6.2.323",
"status": "affected",
"version": "4.6.2",
"versionType": "custom"
},
{
"lessThan": "4.6.3.18",
"status": "affected",
"version": "4.6.3",
"versionType": "custom"
},
{
"lessThan": "4.6.4.3",
"status": "affected",
"version": "4.6.4",
"versionType": "custom"
},
{
"lessThan": "4.7.1.47",
"status": "affected",
"version": "4.7.1",
"versionType": "custom"
},
{
"lessThan": "4.8.1.19",
"status": "affected",
"version": "4.8.1",
"versionType": "custom"
},
{
"lessThan": "4.9.0.52",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "4.9.26.10",
"status": "affected",
"version": "4.9.26",
"versionType": "custom"
},
{
"lessThan": "4.10.9.8",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.10.13",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Viral Maniar - Security Researcher at Preemptive Cyber Security Pty Ltd"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization.\u003cbr\u003e\u003cbr\u003eSuccessful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance.\u003cbr\u003e"
}
],
"value": "An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization.\n\nSuccessful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-23T08:47:55.266Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-2702/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-2702/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-2702/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-2702/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-2702/#solution"
}
],
"source": {
"advisory": "WSO2-2024-2702",
"discovery": "EXTERNAL"
},
"title": "Incorrect Authorization in Multiple WSO2 Products Allows Unauthorized Access to Registry Versioned Files",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2024-3511",
"datePublished": "2025-06-23T08:47:55.266Z",
"dateReserved": "2024-04-09T12:08:02.707Z",
"dateUpdated": "2025-06-23T12:43:45.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8008 (GCVE-0-2024-8008)
Vulnerability from cvelistv5 – Published: 2025-06-02 16:48 – Updated: 2025-10-21 05:53
VLAI?
Summary
A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page.
This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.
Severity ?
5.2 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 Enterprise Integrator |
Unknown:
0 , < 6.6.0
(custom)
Affected: 6.6.0 , < 6.6.0.211 (custom) |
|||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8008",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T17:05:11.526830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T17:05:24.975Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.6.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.6.0.211",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.305",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.396",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.28",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.313",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.182",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.121",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.32",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.1",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.16",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.321",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.328",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.374",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.216",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.201",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.69",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.374",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.354",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.16",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.17",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.16",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.identity.framework:org.wso2.carbon.identity.user.store.configuration.ui",
"product": "WSO2 Carbon Identity User Store Configuration UI",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.14.127.9",
"status": "affected",
"version": "5.14.127",
"versionType": "custom"
},
{
"lessThan": "5.17.5.289",
"status": "affected",
"version": "5.17.5",
"versionType": "custom"
},
{
"lessThan": "5.17.118.10",
"status": "affected",
"version": "5.17.118",
"versionType": "custom"
},
{
"lessThan": "5.18.187.276",
"status": "affected",
"version": "5.18.187",
"versionType": "custom"
},
{
"lessThan": "5.18.248.22",
"status": "affected",
"version": "5.18.248",
"versionType": "custom"
},
{
"lessThan": "5.23.8.193",
"status": "affected",
"version": "5.23.8",
"versionType": "custom"
},
{
"lessThan": "5.24.8.11",
"status": "affected",
"version": "5.24.8",
"versionType": "custom"
},
{
"lessThan": "5.25.92.104",
"status": "affected",
"version": "5.25.92",
"versionType": "custom"
},
{
"lessThan": "5.25.705.10",
"status": "affected",
"version": "5.25.705",
"versionType": "custom"
},
{
"lessThan": "5.25.713.1",
"status": "affected",
"version": "5.25.713",
"versionType": "custom"
},
{
"lessThan": "5.25.724.1",
"status": "affected",
"version": "5.25.724",
"versionType": "custom"
},
{
"lessThan": "7.0.78.46",
"status": "affected",
"version": "7.0.78",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.5.12",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page.\u003cbr\u003e\u003cbr\u003eThis vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible."
}
],
"value": "A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page.\n\nThis vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T05:53:02.275Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/#solution"
}
],
"source": {
"advisory": "WSO2-2024-3178",
"discovery": "INTERNAL"
},
"title": "Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products via JDBC User Store Connection Validation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2024-8008",
"datePublished": "2025-06-02T16:48:12.479Z",
"dateReserved": "2024-08-20T11:32:44.245Z",
"dateUpdated": "2025-10-21T05:53:02.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10853 (GCVE-0-2025-10853)
Vulnerability from nvd – Published: 2025-11-05 19:21 – Updated: 2025-11-05 19:58
VLAI?
Summary
A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.
Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.
Severity ?
5.2 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 Open Banking IAM |
Unknown:
0 , < 2.0.0
(custom)
Affected: 2.0.0 , < 2.0.0.413 (custom) |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
crnković
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10853",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T19:51:26.535789Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T19:58:21.875Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.413",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.344",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.445",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.65",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.365",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.227",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.167",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.79",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.43",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.26",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.373",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.417",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.247",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.246",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.122",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.1.0.29",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.393",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.363",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.6.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.6.0.223",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.27",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.25",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.25",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui",
"product": "org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.7.32.14",
"status": "affected",
"version": "4.7.32",
"versionType": "custom"
},
{
"lessThan": "4.7.35.11",
"status": "affected",
"version": "4.7.35",
"versionType": "custom"
},
{
"lessThan": "4.7.39.9",
"status": "affected",
"version": "4.7.39",
"versionType": "custom"
},
{
"lessThan": "4.7.51.4",
"status": "affected",
"version": "4.7.51",
"versionType": "custom"
},
{
"lessThan": "4.8.3.9",
"status": "affected",
"version": "4.8.3",
"versionType": "custom"
},
{
"lessThan": "4.8.13.6",
"status": "affected",
"version": "4.8.13",
"versionType": "custom"
},
{
"lessThan": "4.8.32.3",
"status": "affected",
"version": "4.8.32",
"versionType": "custom"
},
{
"lessThan": "4.8.36.1",
"status": "affected",
"version": "4.8.36",
"versionType": "custom"
},
{
"lessThan": "4.8.43.1",
"status": "affected",
"version": "4.8.43",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.8.47",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui",
"product": "org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.7.24.7",
"status": "affected",
"version": "4.7.24",
"versionType": "custom"
},
{
"lessThan": "4.7.32.14",
"status": "affected",
"version": "4.7.32",
"versionType": "custom"
},
{
"lessThan": "4.7.33.13",
"status": "affected",
"version": "4.7.33",
"versionType": "custom"
},
{
"lessThan": "4.7.35.11",
"status": "affected",
"version": "4.7.35",
"versionType": "custom"
},
{
"lessThan": "4.7.39.9",
"status": "affected",
"version": "4.7.39",
"versionType": "custom"
},
{
"lessThan": "4.7.51.4",
"status": "affected",
"version": "4.7.51",
"versionType": "custom"
},
{
"lessThan": "4.8.3.9",
"status": "affected",
"version": "4.8.3",
"versionType": "custom"
},
{
"lessThan": "4.8.9.5",
"status": "affected",
"version": "4.8.9",
"versionType": "custom"
},
{
"lessThan": "4.8.12.5",
"status": "affected",
"version": "4.8.12",
"versionType": "custom"
},
{
"lessThan": "4.8.13.6",
"status": "affected",
"version": "4.8.13",
"versionType": "custom"
},
{
"lessThan": "4.8.24.3",
"status": "affected",
"version": "4.8.24",
"versionType": "custom"
},
{
"lessThan": "4.8.32.3",
"status": "affected",
"version": "4.8.32",
"versionType": "custom"
},
{
"lessThan": "4.8.36.1",
"status": "affected",
"version": "4.8.36",
"versionType": "custom"
},
{
"lessThan": "4.8.43.1",
"status": "affected",
"version": "4.8.43",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.8.47",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui",
"product": "org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.8.19.5",
"status": "affected",
"version": "4.8.19",
"versionType": "custom"
},
{
"lessThan": "4.8.21.9",
"status": "affected",
"version": "4.8.21",
"versionType": "custom"
},
{
"lessThan": "4.8.28.3",
"status": "affected",
"version": "4.8.28",
"versionType": "custom"
},
{
"lessThan": "4.8.30.3",
"status": "affected",
"version": "4.8.30",
"versionType": "custom"
},
{
"lessThan": "4.8.32.1",
"status": "affected",
"version": "4.8.32",
"versionType": "custom"
},
{
"lessThan": "4.8.33.3",
"status": "affected",
"version": "4.8.33",
"versionType": "custom"
},
{
"lessThan": "4.8.34.3",
"status": "affected",
"version": "4.8.34",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "4.8.35",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui",
"product": "org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.4.2.165",
"status": "affected",
"version": "6.4.2",
"versionType": "custom"
},
{
"lessThan": "6.4.111.155",
"status": "affected",
"version": "6.4.111",
"versionType": "custom"
},
{
"lessThan": "6.4.176.28",
"status": "affected",
"version": "6.4.176",
"versionType": "custom"
},
{
"lessThan": "6.4.180.12",
"status": "affected",
"version": "6.4.180",
"versionType": "custom"
},
{
"lessThan": "6.9.6.26",
"status": "affected",
"version": "6.9.6",
"versionType": "custom"
},
{
"lessThan": "6.13.16.19",
"status": "affected",
"version": "6.13.16",
"versionType": "custom"
},
{
"lessThan": "6.13.19.12",
"status": "affected",
"version": "6.13.19",
"versionType": "custom"
},
{
"lessThan": "6.13.27.5",
"status": "affected",
"version": "6.13.27",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.38",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0.349",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.413",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.1.0.344",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.0.445",
"versionStartIncluding": "3.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.1.65",
"versionStartIncluding": "3.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.0.365",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.1.0.227",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.0.167",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.3.0.79",
"versionStartIncluding": "4.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.0.43",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.26",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.373",
"versionStartIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.0.417",
"versionStartIncluding": "5.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.0.247",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.0.246",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.0.122",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1.0.29",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_am:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.393",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.363",
"versionStartIncluding": "5.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_enterprise_integrator:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.0.223",
"versionStartIncluding": "6.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.27",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.25",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.25",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.32.14",
"versionStartIncluding": "4.7.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.35.11",
"versionStartIncluding": "4.7.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.39.9",
"versionStartIncluding": "4.7.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.51.4",
"versionStartIncluding": "4.7.51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.3.9",
"versionStartIncluding": "4.8.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.13.6",
"versionStartIncluding": "4.8.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.32.3",
"versionStartIncluding": "4.8.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.36.1",
"versionStartIncluding": "4.8.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.43.1",
"versionStartIncluding": "4.8.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.8.47",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.24.7",
"versionStartIncluding": "4.7.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.32.14",
"versionStartIncluding": "4.7.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.33.13",
"versionStartIncluding": "4.7.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.35.11",
"versionStartIncluding": "4.7.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.39.9",
"versionStartIncluding": "4.7.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.51.4",
"versionStartIncluding": "4.7.51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.3.9",
"versionStartIncluding": "4.8.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.9.5",
"versionStartIncluding": "4.8.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.12.5",
"versionStartIncluding": "4.8.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.13.6",
"versionStartIncluding": "4.8.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.24.3",
"versionStartIncluding": "4.8.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.32.3",
"versionStartIncluding": "4.8.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.36.1",
"versionStartIncluding": "4.8.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.43.1",
"versionStartIncluding": "4.8.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.registry_org.wso2.carbon.registry.resource.ui:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.8.47",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.19.5",
"versionStartIncluding": "4.8.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.21.9",
"versionStartIncluding": "4.8.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.28.3",
"versionStartIncluding": "4.8.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.30.3",
"versionStartIncluding": "4.8.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.32.1",
"versionStartIncluding": "4.8.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.33.3",
"versionStartIncluding": "4.8.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.34.3",
"versionStartIncluding": "4.8.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.8.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.2.165",
"versionStartIncluding": "6.4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.111.155",
"versionStartIncluding": "6.4.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.176.28",
"versionStartIncluding": "6.4.176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.180.12",
"versionStartIncluding": "6.4.180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.6.26",
"versionStartIncluding": "6.9.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.16.19",
"versionStartIncluding": "6.13.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.19.12",
"versionStartIncluding": "6.13.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.27.5",
"versionStartIncluding": "6.13.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndIncluding": "6.13.*",
"versionStartIncluding": "6.13.38",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.identity.inbound.auth.oauth2_org.wso2.carbon.identity.oauth.ui:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "7.0.349",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "crnkovi\u0107"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.\u003cbr\u003e\u003cbr\u003eSuccessful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking."
}
],
"value": "A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.\n\nSuccessful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T19:21:32.971Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4486/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4486/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4486/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4486/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4486",
"discovery": "EXTERNAL"
},
"title": "Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-10853",
"datePublished": "2025-11-05T19:21:32.971Z",
"dateReserved": "2025-09-22T10:42:09.872Z",
"dateUpdated": "2025-11-05T19:58:21.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10907 (GCVE-0-2025-10907)
Vulnerability from nvd – Published: 2025-11-05 18:03 – Updated: 2025-11-05 18:49
VLAI?
Summary
An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment.
Successful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.
Severity ?
8.4 (High)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 API Manager |
Unknown:
0 , < 3.1.0
(custom)
Affected: 3.1.0 , < 3.1.0.345 (custom) Affected: 3.2.0 , < 3.2.0.448 (custom) Affected: 3.2.1 , < 3.2.1.66 (custom) Affected: 4.0.0 , < 4.0.0.367 (custom) Affected: 4.1.0 , < 4.1.0.230 (custom) Affected: 4.2.0 , < 4.2.0.169 (custom) Affected: 4.3.0 , < 4.3.0.81 (custom) Affected: 4.4.0 , < 4.4.0.45 (custom) Affected: 4.5.0 , < 4.5.0.28 (custom) |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
crnković
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10907",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T18:49:26.232581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T18:49:44.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.345",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.448",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.66",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.367",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.230",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.169",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.81",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.45",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.28",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.414",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.394",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.29",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.27",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.27",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Micro Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.0.0.145",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.147",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.141",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.375",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.419",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.248",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.248",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.124",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.1.0.31",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.365",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.6.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.6.0.224",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.jaggeryjs:org.jaggeryjs.jaggery.app.mgt",
"product": "org.jaggeryjs:org.jaggeryjs.jaggery.app.mgt",
"vendor": "WSO2",
"versions": [
{
"lessThan": "0.14.13.8",
"status": "affected",
"version": "0.14.13",
"versionType": "custom"
},
{
"lessThan": "0.14.16.1",
"status": "affected",
"version": "0.14.16",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core",
"product": "org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.2.14.7",
"status": "affected",
"version": "2.2.14",
"versionType": "custom"
},
{
"lessThan": "2.2.17.2",
"status": "affected",
"version": "2.2.17",
"versionType": "custom"
},
{
"lessThan": "2.3.1.3",
"status": "affected",
"version": "2.3.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "2.3.19",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.mediation:org.wso2.carbon.mediation.library",
"product": "org.wso2.carbon.mediation:org.wso2.carbon.mediation.library",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.7.30.47",
"status": "affected",
"version": "4.7.30",
"versionType": "custom"
},
{
"lessThan": "4.7.61.62",
"status": "affected",
"version": "4.7.61",
"versionType": "custom"
},
{
"lessThan": "4.7.99.304",
"status": "affected",
"version": "4.7.99",
"versionType": "custom"
},
{
"lessThan": "4.7.131.22",
"status": "affected",
"version": "4.7.131",
"versionType": "custom"
},
{
"lessThan": "4.7.175.30",
"status": "affected",
"version": "4.7.175",
"versionType": "custom"
},
{
"lessThan": "4.7.188.12",
"status": "affected",
"version": "4.7.188",
"versionType": "custom"
},
{
"lessThan": "4.7.204.13",
"status": "affected",
"version": "4.7.204",
"versionType": "custom"
},
{
"lessThan": "4.7.221.7",
"status": "affected",
"version": "4.7.221",
"versionType": "custom"
},
{
"lessThan": "4.7.245.7",
"status": "affected",
"version": "4.7.245",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.7.262",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.deployment:org.wso2.carbon.module.mgt",
"product": "org.wso2.carbon.deployment:org.wso2.carbon.module.mgt",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.9.15.2",
"status": "affected",
"version": "4.9.15",
"versionType": "custom"
},
{
"lessThan": "4.10.1.1",
"status": "affected",
"version": "4.10.1",
"versionType": "custom"
},
{
"lessThan": "4.10.9.2",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.11.1.3",
"status": "affected",
"version": "4.11.1",
"versionType": "custom"
},
{
"lessThan": "4.11.3.3",
"status": "affected",
"version": "4.11.3",
"versionType": "custom"
},
{
"lessThan": "4.11.7.5",
"status": "affected",
"version": "4.11.7",
"versionType": "custom"
},
{
"lessThan": "4.11.14.2",
"status": "affected",
"version": "4.11.14",
"versionType": "custom"
},
{
"lessThan": "4.11.17.3",
"status": "affected",
"version": "4.11.17",
"versionType": "custom"
},
{
"lessThan": "4.11.18.1",
"status": "affected",
"version": "4.11.18",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.11.24",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt",
"product": "org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.10.1.1",
"status": "affected",
"version": "4.10.1",
"versionType": "custom"
},
{
"lessThan": "4.10.9.2",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.11.1.3",
"status": "affected",
"version": "4.11.1",
"versionType": "custom"
},
{
"lessThan": "4.11.3.3",
"status": "affected",
"version": "4.11.3",
"versionType": "custom"
},
{
"lessThan": "4.11.7.5",
"status": "affected",
"version": "4.11.7",
"versionType": "custom"
},
{
"lessThan": "4.11.14.2",
"status": "affected",
"version": "4.11.14",
"versionType": "custom"
},
{
"lessThan": "4.11.17.3",
"status": "affected",
"version": "4.11.17",
"versionType": "custom"
},
{
"lessThan": "4.11.18.1",
"status": "affected",
"version": "4.11.18",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.11.24",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.apache.ws.commons.axiom.wso2:axiom",
"product": "org.apache.ws.commons.axiom.wso2:axiom",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.2.11.wso2v17_5",
"status": "affected",
"version": "1.2.11",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "1.2.11-wso2v21",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon:org.wso2.carbon.base",
"product": "org.wso2.carbon:org.wso2.carbon.base",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.3.46",
"status": "affected",
"version": "4.5.3",
"versionType": "custom"
},
{
"lessThan": "4.6.0.2005",
"status": "affected",
"version": "4.6.0",
"versionType": "custom"
},
{
"lessThan": "4.6.1.153",
"status": "affected",
"version": "4.6.1",
"versionType": "custom"
},
{
"lessThan": "4.6.2.668",
"status": "affected",
"version": "4.6.2",
"versionType": "custom"
},
{
"lessThan": "4.6.3.37",
"status": "affected",
"version": "4.6.3",
"versionType": "custom"
},
{
"lessThan": "4.6.4.15",
"status": "affected",
"version": "4.6.4",
"versionType": "custom"
},
{
"lessThan": "4.7.1.72",
"status": "affected",
"version": "4.7.1",
"versionType": "custom"
},
{
"lessThan": "4.8.1.40",
"status": "affected",
"version": "4.8.1",
"versionType": "custom"
},
{
"lessThan": "4.9.0.103",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "4.9.26.26",
"status": "affected",
"version": "4.9.26",
"versionType": "custom"
},
{
"lessThan": "4.9.27.11",
"status": "affected",
"version": "4.9.27",
"versionType": "custom"
},
{
"lessThan": "4.9.28.12",
"status": "affected",
"version": "4.9.28",
"versionType": "custom"
},
{
"lessThan": "4.10.9.71",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.10.42.14",
"status": "affected",
"version": "4.10.42",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.30",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.10.95",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon:org.wso2.carbon.utils",
"product": "org.wso2.carbon:org.wso2.carbon.utils",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.3.46",
"status": "affected",
"version": "4.5.3",
"versionType": "custom"
},
{
"lessThan": "4.6.0.2005",
"status": "affected",
"version": "4.6.0",
"versionType": "custom"
},
{
"lessThan": "4.6.1.153",
"status": "affected",
"version": "4.6.1",
"versionType": "custom"
},
{
"lessThan": "4.6.2.668",
"status": "affected",
"version": "4.6.2",
"versionType": "custom"
},
{
"lessThan": "4.6.3.37",
"status": "affected",
"version": "4.6.3",
"versionType": "custom"
},
{
"lessThan": "4.6.4.15",
"status": "affected",
"version": "4.6.4",
"versionType": "custom"
},
{
"lessThan": "4.7.1.72",
"status": "affected",
"version": "4.7.1",
"versionType": "custom"
},
{
"lessThan": "4.8.1.40",
"status": "affected",
"version": "4.8.1",
"versionType": "custom"
},
{
"lessThan": "4.9.0.103",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "4.9.26.26",
"status": "affected",
"version": "4.9.26",
"versionType": "custom"
},
{
"lessThan": "4.9.27.11",
"status": "affected",
"version": "4.9.27",
"versionType": "custom"
},
{
"lessThan": "4.9.28.12",
"status": "affected",
"version": "4.9.28",
"versionType": "custom"
},
{
"lessThan": "4.10.9.71",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.10.42.14",
"status": "affected",
"version": "4.10.42",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.30",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.10.95",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.1.0.345",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.0.448",
"versionStartIncluding": "3.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.1.66",
"versionStartIncluding": "3.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.0.367",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.1.0.230",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.0.169",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.3.0.81",
"versionStartIncluding": "4.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.0.45",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.28",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.414",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_am:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.394",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.29",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.27",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.27",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.0.145",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.1.0.147",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.0.141",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.375",
"versionStartIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.0.419",
"versionStartIncluding": "5.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.0.248",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.0.248",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.0.124",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1.0.31",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.365",
"versionStartIncluding": "5.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_enterprise_integrator:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.0.224",
"versionStartIncluding": "6.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.jaggeryjs_org.jaggeryjs.jaggery.app.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.14.13.8",
"versionStartIncluding": "0.14.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.jaggeryjs_org.jaggeryjs.jaggery.app.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.14.16.1",
"versionStartIncluding": "0.14.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.event-processing_org.wso2.carbon.event.simulator.core:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.2.14.7",
"versionStartIncluding": "2.2.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.event-processing_org.wso2.carbon.event.simulator.core:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.2.17.2",
"versionStartIncluding": "2.2.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.event-processing_org.wso2.carbon.event.simulator.core:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.3.1.3",
"versionStartIncluding": "2.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.event-processing_org.wso2.carbon.event.simulator.core:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "2.3.19",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.30.47",
"versionStartIncluding": "4.7.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.61.62",
"versionStartIncluding": "4.7.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.99.304",
"versionStartIncluding": "4.7.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.131.22",
"versionStartIncluding": "4.7.131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.175.30",
"versionStartIncluding": "4.7.175",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.188.12",
"versionStartIncluding": "4.7.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.204.13",
"versionStartIncluding": "4.7.204",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.221.7",
"versionStartIncluding": "4.7.221",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.245.7",
"versionStartIncluding": "4.7.245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.mediation.library:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.7.262",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.15.2",
"versionStartIncluding": "4.9.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.1.1",
"versionStartIncluding": "4.10.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.9.2",
"versionStartIncluding": "4.10.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.1.3",
"versionStartIncluding": "4.11.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.3.3",
"versionStartIncluding": "4.11.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.7.5",
"versionStartIncluding": "4.11.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.14.2",
"versionStartIncluding": "4.11.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.17.3",
"versionStartIncluding": "4.11.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.18.1",
"versionStartIncluding": "4.11.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.module.mgt:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.11.24",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.1.1",
"versionStartIncluding": "4.10.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.9.2",
"versionStartIncluding": "4.10.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.1.3",
"versionStartIncluding": "4.11.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.3.3",
"versionStartIncluding": "4.11.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.7.5",
"versionStartIncluding": "4.11.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.14.2",
"versionStartIncluding": "4.11.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.17.3",
"versionStartIncluding": "4.11.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.18.1",
"versionStartIncluding": "4.11.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.deployment_org.wso2.carbon.webapp.mgt:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.11.24",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.apache.ws.commons.axiom.wso2_axiom:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.2.11.wso2v17_5",
"versionStartIncluding": "1.2.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.apache.ws.commons.axiom.wso2_axiom:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "1.2.11-wso2v21",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.3.46",
"versionStartIncluding": "4.5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.0.2005",
"versionStartIncluding": "4.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.1.153",
"versionStartIncluding": "4.6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.2.668",
"versionStartIncluding": "4.6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.3.37",
"versionStartIncluding": "4.6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.4.15",
"versionStartIncluding": "4.6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.1.72",
"versionStartIncluding": "4.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.1.40",
"versionStartIncluding": "4.8.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.0.103",
"versionStartIncluding": "4.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.26.26",
"versionStartIncluding": "4.9.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.27.11",
"versionStartIncluding": "4.9.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.28.12",
"versionStartIncluding": "4.9.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.9.71",
"versionStartIncluding": "4.10.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.42.14",
"versionStartIncluding": "4.10.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndIncluding": "4.9.*",
"versionStartIncluding": "4.9.30",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.base:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.10.95",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.3.46",
"versionStartIncluding": "4.5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.0.2005",
"versionStartIncluding": "4.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.1.153",
"versionStartIncluding": "4.6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.2.668",
"versionStartIncluding": "4.6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.3.37",
"versionStartIncluding": "4.6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.4.15",
"versionStartIncluding": "4.6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.1.72",
"versionStartIncluding": "4.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.1.40",
"versionStartIncluding": "4.8.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.0.103",
"versionStartIncluding": "4.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.26.26",
"versionStartIncluding": "4.9.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.27.11",
"versionStartIncluding": "4.9.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.28.12",
"versionStartIncluding": "4.9.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.9.71",
"versionStartIncluding": "4.10.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.42.14",
"versionStartIncluding": "4.10.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndIncluding": "4.9.*",
"versionStartIncluding": "4.9.30",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.utils:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.10.95",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "crnkovi\u0107"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment.\u003cbr\u003e\u003cbr\u003eSuccessful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.\u003cbr\u003e"
}
],
"value": "An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment.\n\nSuccessful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T18:03:49.831Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4603/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4603/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4603/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4603/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4603",
"discovery": "EXTERNAL"
},
"title": "Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-10907",
"datePublished": "2025-11-05T18:03:49.831Z",
"dateReserved": "2025-09-24T09:25:09.461Z",
"dateUpdated": "2025-11-05T18:49:44.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10713 (GCVE-0-2025-10713)
Vulnerability from nvd – Published: 2025-11-05 17:18 – Updated: 2025-11-05 18:15
VLAI?
Summary
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.
A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.
Severity ?
6.5 (Medium)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 Enterprise Integrator |
Unknown:
0 , < 6.6.0
(custom)
Affected: 6.6.0 , < 6.6.0.223 (custom) |
|||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||
Credits
crnković
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T18:15:46.961845Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T18:15:56.913Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.6.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.6.0.223",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.27",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.25",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.25",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.344",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.445",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.65",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.365",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.227",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.167",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.79",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.43",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.26",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.373",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.417",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "7.1.0.29",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.413",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.393",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.363",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.mediation:org.wso2.carbon.localentry",
"product": "org.wso2.carbon.mediation:org.wso2.carbon.localentry",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.7.30.46",
"status": "affected",
"version": "4.7.30",
"versionType": "custom"
},
{
"lessThan": "4.7.61.61",
"status": "affected",
"version": "4.7.61",
"versionType": "custom"
},
{
"lessThan": "4.7.99.303",
"status": "affected",
"version": "4.7.99",
"versionType": "custom"
},
{
"lessThan": "4.7.131.21",
"status": "affected",
"version": "4.7.131",
"versionType": "custom"
},
{
"lessThan": "4.7.175.29",
"status": "affected",
"version": "4.7.175",
"versionType": "custom"
},
{
"lessThan": "4.7.188.11",
"status": "affected",
"version": "4.7.188",
"versionType": "custom"
},
{
"lessThan": "4.7.204.12",
"status": "affected",
"version": "4.7.204",
"versionType": "custom"
},
{
"lessThan": "4.7.221.6",
"status": "affected",
"version": "4.7.221",
"versionType": "custom"
},
{
"lessThan": "4.7.245.6",
"status": "affected",
"version": "4.7.245",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.7.259",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_enterprise_integrator:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.0.223",
"versionStartIncluding": "6.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.27",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.25",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.25",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.1.0.344",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.0.445",
"versionStartIncluding": "3.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.1.65",
"versionStartIncluding": "3.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.0.365",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.1.0.227",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.0.167",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.3.0.79",
"versionStartIncluding": "4.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.0.43",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.26",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.373",
"versionStartIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.0.417",
"versionStartIncluding": "5.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1.0.29",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.413",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_am:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.393",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.363",
"versionStartIncluding": "5.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.30.46",
"versionStartIncluding": "4.7.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.61.61",
"versionStartIncluding": "4.7.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.99.303",
"versionStartIncluding": "4.7.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.131.21",
"versionStartIncluding": "4.7.131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.175.29",
"versionStartIncluding": "4.7.175",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.188.11",
"versionStartIncluding": "4.7.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.204.12",
"versionStartIncluding": "4.7.204",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.221.6",
"versionStartIncluding": "4.7.221",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.245.6",
"versionStartIncluding": "4.7.245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon.mediation_org.wso2.carbon.localentry:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.7.259",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "crnkovi\u0107"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.\u003cbr\u003e\u003cbr\u003eA successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server\u0027s filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.\u003cbr\u003e"
}
],
"value": "An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.\n\nA successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server\u0027s filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T17:18:24.719Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4505/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4505/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4505/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4505/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4505",
"discovery": "EXTERNAL"
},
"title": "XML External Entity (XXE) Vulnerability in Multiple WSO2 Products Due to Improper XML Parser Configuration",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-10713",
"datePublished": "2025-11-05T17:18:24.719Z",
"dateReserved": "2025-09-19T06:15:37.907Z",
"dateUpdated": "2025-11-05T18:15:56.913Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5605 (GCVE-0-2025-5605)
Vulnerability from nvd – Published: 2025-10-24 10:09 – Updated: 2025-10-24 11:44
VLAI?
Summary
An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.
The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.
Severity ?
4.3 (Medium)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 Identity Server |
Unknown:
0 , < 5.10.0
(custom)
Affected: 5.10.0 , < 5.10.0.361 (custom) Affected: 5.11.0 , < 5.11.0.414 (custom) Affected: 6.0.0 , < 6.0.0.245 (custom) Affected: 6.1.0 , < 6.1.0.244 (custom) Affected: 7.0.0 , < 7.0.0.119 (custom) Affected: 7.1.0 , < 7.1.0.25 (custom) |
|||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Noël Maccary
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5605",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T11:44:00.454638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T11:44:58.987Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.361",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.414",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.245",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.244",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.119",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.1.0.25",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.6.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.6.0.217",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.10",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.10",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.334",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.430",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.48",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.346",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.210",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.148",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.61",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.24",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.10",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.11",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.354",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.382",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.403",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon:org.wso2.carbon.ui",
"product": "org.wso2.carbon:org.wso2.carbon.ui",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.3.40",
"status": "affected",
"version": "4.5.3",
"versionType": "custom"
},
{
"lessThan": "4.6.0.1224",
"status": "affected",
"version": "4.6.0",
"versionType": "custom"
},
{
"lessThan": "4.6.1.150",
"status": "affected",
"version": "4.6.1",
"versionType": "custom"
},
{
"lessThan": "4.6.2.664",
"status": "affected",
"version": "4.6.2",
"versionType": "custom"
},
{
"lessThan": "4.6.3.32",
"status": "affected",
"version": "4.6.3",
"versionType": "custom"
},
{
"lessThan": "4.6.4.8",
"status": "affected",
"version": "4.6.4",
"versionType": "custom"
},
{
"lessThan": "4.7.1.69",
"status": "affected",
"version": "4.7.1",
"versionType": "custom"
},
{
"lessThan": "4.8.1.33",
"status": "affected",
"version": "4.8.1",
"versionType": "custom"
},
{
"lessThan": "4.9.0.100",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "4.9.26.20",
"status": "affected",
"version": "4.9.26",
"versionType": "custom"
},
{
"lessThan": "4.9.27.4",
"status": "affected",
"version": "4.9.27",
"versionType": "custom"
},
{
"lessThan": "4.9.28.4",
"status": "affected",
"version": "4.9.28",
"versionType": "custom"
},
{
"lessThan": "4.10.9.68",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.10.42.10",
"status": "affected",
"version": "4.10.42",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.29",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.10.90",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.361",
"versionStartIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.0.414",
"versionStartIncluding": "5.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.0.245",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.0.244",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.0.119",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1.0.25",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_enterprise_integrator:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.0.217",
"versionStartIncluding": "6.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.10",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.10",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.1.0.334",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.0.430",
"versionStartIncluding": "3.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.1.48",
"versionStartIncluding": "3.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.0.346",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.1.0.210",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.0.148",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.3.0.61",
"versionStartIncluding": "4.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.0.24",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.10",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.0.11",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.354",
"versionStartIncluding": "5.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_am:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.382",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.403",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.5.3.40",
"versionStartIncluding": "4.5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.0.1224",
"versionStartIncluding": "4.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.1.150",
"versionStartIncluding": "4.6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.2.664",
"versionStartIncluding": "4.6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.3.32",
"versionStartIncluding": "4.6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.4.8",
"versionStartIncluding": "4.6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.1.69",
"versionStartIncluding": "4.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.8.1.33",
"versionStartIncluding": "4.8.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.0.100",
"versionStartIncluding": "4.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.26.20",
"versionStartIncluding": "4.9.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.27.4",
"versionStartIncluding": "4.9.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.28.4",
"versionStartIncluding": "4.9.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.9.68",
"versionStartIncluding": "4.10.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.10.42.10",
"versionStartIncluding": "4.10.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndIncluding": "4.9.*",
"versionStartIncluding": "4.9.29",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:wso2:org.wso2.carbon_org.wso2.carbon.ui:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.10.90",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "No\u00ebl Maccary"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.\u003cbr\u003e\u003cbr\u003eThe known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.\u003cbr\u003e"
}
],
"value": "An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.\n\nThe known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T10:17:47.415Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4115/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4115",
"discovery": "EXTERNAL"
},
"title": "Authentication Bypass via URI Manipulation in Multiple WSO2 Products\u0027 Management Console Leading to Partial Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-5605",
"datePublished": "2025-10-24T10:09:59.591Z",
"dateReserved": "2025-06-04T10:51:11.459Z",
"dateUpdated": "2025-10-24T11:44:58.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5350 (GCVE-0-2025-5350)
Vulnerability from nvd – Published: 2025-10-24 10:08 – Updated: 2025-10-24 12:16
VLAI?
Summary
SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user's browser context.
By tricking an administrator into accessing a crafted link, an attacker could force the server to fetch malicious content and reflect it into the admin’s browser, leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. While session cookies are protected with the HttpOnly flag, the XSS still poses a significant security risk.
Furthermore, SSRF can be used by a privileged user to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable from the affected product.
Severity ?
5.9 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 Identity Server |
Unknown:
0 , < 5.10.0
(custom)
Affected: 5.10.0 , < 5.10.0.359 (custom) Affected: 5.11.0 , < 5.11.0.415 (custom) Affected: 6.0.0 , < 6.0.0.246 (custom) Affected: 6.1.0 , < 6.1.0.245 (custom) Affected: 7.0.0 , < 7.0.0.120 (custom) Affected: 7.1.0 , < 7.1.0.27 (custom) |
|||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Noël MACCARY
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5350",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T12:16:39.906160Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T12:16:49.892Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.359",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.415",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.246",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.245",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.120",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.1.0.27",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.6.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.6.0.218",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.332",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.428",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.47",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.369",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.209",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.147",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.60",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.23",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.7",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.7",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.7",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.7",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.380",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.401",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.352",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon:org.wso2.carbon.ui",
"product": "org.wso2.carbon:org.wso2.carbon.ui",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.3.41",
"status": "affected",
"version": "4.5.3",
"versionType": "custom"
},
{
"lessThan": "4.6.0.1087",
"status": "affected",
"version": "4.6.0",
"versionType": "custom"
},
{
"lessThan": "4.6.1.151",
"status": "affected",
"version": "4.6.1",
"versionType": "custom"
},
{
"lessThan": "4.6.2.672",
"status": "affected",
"version": "4.6.2",
"versionType": "custom"
},
{
"lessThan": "4.6.3.30",
"status": "affected",
"version": "4.6.3",
"versionType": "custom"
},
{
"lessThan": "4.6.4.7",
"status": "affected",
"version": "4.6.4",
"versionType": "custom"
},
{
"lessThan": "4.7.1.70",
"status": "affected",
"version": "4.7.1",
"versionType": "custom"
},
{
"lessThan": "4.8.1.32",
"status": "affected",
"version": "4.8.1",
"versionType": "custom"
},
{
"lessThan": "4.9.0.101",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "4.9.26.19",
"status": "affected",
"version": "4.9.26",
"versionType": "custom"
},
{
"lessThan": "4.9.27.3",
"status": "affected",
"version": "4.9.27",
"versionType": "custom"
},
{
"lessThan": "4.9.28.1",
"status": "affected",
"version": "4.9.28",
"versionType": "custom"
},
{
"lessThan": "4.10.9.69",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.10.42.11",
"status": "affected",
"version": "4.10.42",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.29",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.10.93",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "No\u00ebl MACCARY"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user\u0027s browser context.\u003cbr\u003e\u003cbr\u003eBy tricking an administrator into accessing a crafted link, an attacker could force the server to fetch malicious content and reflect it into the admin\u2019s browser, leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. While session cookies are protected with the HttpOnly flag, the XSS still poses a significant security risk.\u003cbr\u003e\u003cbr\u003eFurthermore, SSRF can be used by a privileged user to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable from the affected product.\u003cbr\u003e"
}
],
"value": "SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user\u0027s browser context.\n\nBy tricking an administrator into accessing a crafted link, an attacker could force the server to fetch malicious content and reflect it into the admin\u2019s browser, leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. While session cookies are protected with the HttpOnly flag, the XSS still poses a significant security risk.\n\nFurthermore, SSRF can be used by a privileged user to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable from the affected product."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T10:15:53.793Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4124/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4124/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4124/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4124/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4124/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4124",
"discovery": "EXTERNAL"
},
"title": "SSRF and Reflected XSS Vulnerability in Deprecated Try-It Feature of Multiple WSO2 Products",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-5350",
"datePublished": "2025-10-24T10:08:07.719Z",
"dateReserved": "2025-05-30T06:56:02.711Z",
"dateUpdated": "2025-10-24T12:16:49.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9804 (GCVE-0-2025-9804)
Vulnerability from nvd – Published: 2025-10-16 12:33 – Updated: 2025-10-17 16:01
VLAI?
Summary
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.
This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
Severity ?
9.6 (Critical)
8.9 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 Identity Server as Key Manager |
Unknown:
0 , < 5.3.0
(custom)
Affected: 5.3.0 , < 5.3.0.41 (custom) Affected: 5.5.0 , < 5.5.0.53 (custom) Affected: 5.6.0 , < 5.6.0.75 (custom) Affected: 5.7.0 , < 5.7.0.125 (custom) Affected: 5.9.0 , < 5.9.0.176 (custom) Affected: 5.10.0 , < 5.10.0.359 (custom) |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
crnković
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9804",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T13:20:20.582589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-17T16:01:25.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.3.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.3.0.41",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
},
{
"lessThan": "5.5.0.53",
"status": "affected",
"version": "5.5.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.75",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
},
{
"lessThan": "5.7.0.125",
"status": "affected",
"version": "5.7.0",
"versionType": "custom"
},
{
"lessThan": "5.9.0.176",
"status": "affected",
"version": "5.9.0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.359",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.2.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.2.0.34",
"status": "affected",
"version": "5.2.0",
"versionType": "custom"
},
{
"lessThan": "5.3.0.36",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
},
{
"lessThan": "5.4.0.34",
"status": "affected",
"version": "5.4.0",
"versionType": "custom"
},
{
"lessThan": "5.4.1.38",
"status": "affected",
"version": "5.4.1",
"versionType": "custom"
},
{
"lessThan": "5.5.0.52",
"status": "affected",
"version": "5.5.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.60",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
},
{
"lessThan": "5.7.0.126",
"status": "affected",
"version": "5.7.0",
"versionType": "custom"
},
{
"lessThan": "5.8.0.110",
"status": "affected",
"version": "5.8.0",
"versionType": "custom"
},
{
"lessThan": "5.9.0.169",
"status": "affected",
"version": "5.9.0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.369",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.413",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.244",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.243",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.118",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.1.0.25",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking KM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.4.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.4.0.133",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
},
{
"lessThan": "1.5.0.123",
"status": "affected",
"version": "1.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.409",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.4.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.4.0.139",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
},
{
"lessThan": "1.5.0.140",
"status": "affected",
"version": "1.5.0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.389",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.31",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThan": "2.1.0.40",
"status": "affected",
"version": "2.1.0",
"versionType": "custom"
},
{
"lessThan": "2.2.0.59",
"status": "affected",
"version": "2.2.0",
"versionType": "custom"
},
{
"lessThan": "2.5.0.85",
"status": "affected",
"version": "2.5.0",
"versionType": "custom"
},
{
"lessThan": "2.6.0.146",
"status": "affected",
"version": "2.6.0",
"versionType": "custom"
},
{
"lessThan": "3.0.0.176",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.340",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.441",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.61",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.361",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.224",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.162",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.75",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.39",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.23",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server Analytics",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.2.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.2.0.19",
"status": "affected",
"version": "5.2.0",
"versionType": "custom"
},
{
"lessThan": "5.3.0.17",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
},
{
"lessThan": "5.5.0.31",
"status": "affected",
"version": "5.5.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.38",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "API Manager Analytics",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.14",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThan": "2.1.0.19",
"status": "affected",
"version": "2.1.0",
"versionType": "custom"
},
{
"lessThan": "2.2.0.30",
"status": "affected",
"version": "2.2.0",
"versionType": "custom"
},
{
"lessThan": "2.5.0.39",
"status": "affected",
"version": "2.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.2.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.2.0.62",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"lessThan": "6.3.0.70",
"status": "affected",
"version": "6.3.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Service Bus Analytics",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.0.0.13",
"status": "affected",
"version": "5.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Data Analytics Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.20",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.33",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Mobility Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.2.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.2.0.28",
"status": "affected",
"version": "2.2.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.22",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.24",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.22",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector",
"product": "org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.10.1",
"status": "affected",
"version": "2.0.10",
"versionType": "custom"
},
{
"lessThan": "2.0.15.1",
"status": "affected",
"version": "2.0.15",
"versionType": "custom"
},
{
"lessThan": "2.0.21.1",
"status": "affected",
"version": "2.0.21",
"versionType": "custom"
},
{
"lessThan": "2.0.22.1",
"status": "affected",
"version": "2.0.22",
"versionType": "custom"
},
{
"lessThan": "2.1.12.1",
"status": "affected",
"version": "2.1.12",
"versionType": "custom"
},
{
"lessThan": "2.1.1972",
"status": "affected",
"version": "2.1",
"versionType": "custom"
},
{
"lessThan": "2.2.24",
"status": "affected",
"version": "2.2",
"versionType": "custom"
},
{
"lessThan": "2.2.25",
"status": "affected",
"version": "2.2",
"versionType": "custom"
},
{
"lessThan": "3.1.0.74",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.3.6.7",
"status": "affected",
"version": "3.3.6",
"versionType": "custom"
},
{
"lessThan": "3.3.26.2",
"status": "affected",
"version": "3.3.26",
"versionType": "custom"
},
{
"lessThan": "3.3.35.1",
"status": "affected",
"version": "3.3.35",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "3.3.41",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util",
"product": "org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.7.206.567",
"status": "affected",
"version": "6.7.206",
"versionType": "custom"
},
{
"lessThan": "6.7.210.63",
"status": "affected",
"version": "6.7.210",
"versionType": "custom"
},
{
"lessThan": "9.0.174.522",
"status": "affected",
"version": "9.0.174",
"versionType": "custom"
},
{
"lessThan": "9.20.74.379",
"status": "affected",
"version": "9.20.74",
"versionType": "custom"
},
{
"lessThan": "9.28.116.360",
"status": "affected",
"version": "9.28.116",
"versionType": "custom"
},
{
"lessThan": "9.29.120.184",
"status": "affected",
"version": "9.29.120",
"versionType": "custom"
},
{
"lessThan": "9.30.67.109",
"status": "affected",
"version": "9.30.67",
"versionType": "custom"
},
{
"lessThan": "9.31.86.71",
"status": "affected",
"version": "9.31.86",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "9.32.133",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon:org.wso2.carbon.base",
"product": "org.wso2.carbon:org.wso2.carbon.base",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.4.7.6",
"status": "affected",
"version": "4.4.7",
"versionType": "custom"
},
{
"lessThan": "4.4.9.11",
"status": "affected",
"version": "4.4.9",
"versionType": "custom"
},
{
"lessThan": "4.4.11.9",
"status": "affected",
"version": "4.4.11",
"versionType": "custom"
},
{
"lessThan": "4.4.26.12",
"status": "affected",
"version": "4.4.26",
"versionType": "custom"
},
{
"lessThan": "4.4.35.44",
"status": "affected",
"version": "4.4.35",
"versionType": "custom"
},
{
"lessThan": "4.5.1.43",
"status": "affected",
"version": "4.5.1",
"versionType": "custom"
},
{
"lessThan": "4.6.0.1990",
"status": "affected",
"version": "4.6.0",
"versionType": "custom"
},
{
"lessThan": "4.6.1.149",
"status": "affected",
"version": "4.6.1",
"versionType": "custom"
},
{
"lessThan": "4.6.2.667",
"status": "affected",
"version": "4.6.2",
"versionType": "custom"
},
{
"lessThan": "4.6.3.36",
"status": "affected",
"version": "4.6.3",
"versionType": "custom"
},
{
"lessThan": "4.6.4.14",
"status": "affected",
"version": "4.6.4",
"versionType": "custom"
},
{
"lessThan": "4.7.1.68",
"status": "affected",
"version": "4.7.1",
"versionType": "custom"
},
{
"lessThan": "4.8.1.39",
"status": "affected",
"version": "4.8.1",
"versionType": "custom"
},
{
"lessThan": "4.9.0.99",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "4.9.26.25",
"status": "affected",
"version": "4.9.26",
"versionType": "custom"
},
{
"lessThan": "4.9.27.10",
"status": "affected",
"version": "4.9.27",
"versionType": "custom"
},
{
"lessThan": "4.9.28.11",
"status": "affected",
"version": "4.9.28",
"versionType": "custom"
},
{
"lessThan": "4.10.9.66",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.10.42.9",
"status": "affected",
"version": "4.10.42",
"versionType": "custom"
},
{
"lessThan": "4.9.29",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"lessThan": "4.10.94",
"status": "affected",
"version": "4.10",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt",
"product": "org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.2.0.4",
"status": "affected",
"version": "5.2.0",
"versionType": "custom"
},
{
"lessThan": "5.2.2.21",
"status": "affected",
"version": "5.2.2",
"versionType": "custom"
},
{
"lessThan": "5.7.5.18",
"status": "affected",
"version": "5.7.5",
"versionType": "custom"
},
{
"lessThan": "5.11.148.19",
"status": "affected",
"version": "5.11.148",
"versionType": "custom"
},
{
"lessThan": "5.11.256.21",
"status": "affected",
"version": "5.11.256",
"versionType": "custom"
},
{
"lessThan": "5.12.153.63",
"status": "affected",
"version": "5.12.153",
"versionType": "custom"
},
{
"lessThan": "5.12.387.46",
"status": "affected",
"version": "5.12.387",
"versionType": "custom"
},
{
"lessThan": "5.14.97.89",
"status": "affected",
"version": "5.14.97",
"versionType": "custom"
},
{
"lessThan": "5.17.5.317",
"status": "affected",
"version": "5.17.5",
"versionType": "custom"
},
{
"lessThan": "5.17.118.17",
"status": "affected",
"version": "5.17.118",
"versionType": "custom"
},
{
"lessThan": "5.18.187.309",
"status": "affected",
"version": "5.18.187",
"versionType": "custom"
},
{
"lessThan": "5.18.248.30",
"status": "affected",
"version": "5.18.248",
"versionType": "custom"
},
{
"lessThan": "5.23.8.207",
"status": "affected",
"version": "5.23.8",
"versionType": "custom"
},
{
"lessThan": "5.24.8.23",
"status": "affected",
"version": "5.24.8",
"versionType": "custom"
},
{
"lessThan": "5.25.92.152",
"status": "affected",
"version": "5.25.92",
"versionType": "custom"
},
{
"lessThan": "5.25.705.19",
"status": "affected",
"version": "5.25.705",
"versionType": "custom"
},
{
"lessThan": "5.25.713.9",
"status": "affected",
"version": "5.25.713",
"versionType": "custom"
},
{
"lessThan": "5.25.724.3",
"status": "affected",
"version": "5.25.724",
"versionType": "custom"
},
{
"lessThan": "7.0.78.133",
"status": "affected",
"version": "7.0.78",
"versionType": "custom"
},
{
"lessThan": "7.8.23.47",
"status": "affected",
"version": "7.8.23",
"versionType": "custom"
},
{
"lessThan": "5.25.734",
"status": "affected",
"version": "5.25",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.8.489",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon:org.wso2.carbon.server.admin",
"product": "org.wso2.carbon:org.wso2.carbon.server.admin",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.4.7.6",
"status": "affected",
"version": "4.4.7",
"versionType": "custom"
},
{
"lessThan": "4.4.9.11",
"status": "affected",
"version": "4.4.9",
"versionType": "custom"
},
{
"lessThan": "4.4.11.9",
"status": "affected",
"version": "4.4.11",
"versionType": "custom"
},
{
"lessThan": "4.4.26.12",
"status": "affected",
"version": "4.4.26",
"versionType": "custom"
},
{
"lessThan": "4.4.32.16",
"status": "affected",
"version": "4.4.32",
"versionType": "custom"
},
{
"lessThan": "4.4.35.44",
"status": "affected",
"version": "4.4.35",
"versionType": "custom"
},
{
"lessThan": "4.5.1.43",
"status": "affected",
"version": "4.5.1",
"versionType": "custom"
},
{
"lessThan": "4.6.0.1990",
"status": "affected",
"version": "4.6.0",
"versionType": "custom"
},
{
"lessThan": "4.6.1.149",
"status": "affected",
"version": "4.6.1",
"versionType": "custom"
},
{
"lessThan": "4.6.2.667",
"status": "affected",
"version": "4.6.2",
"versionType": "custom"
},
{
"lessThan": "4.6.3.36",
"status": "affected",
"version": "4.6.3",
"versionType": "custom"
},
{
"lessThan": "4.6.4.14",
"status": "affected",
"version": "4.6.4",
"versionType": "custom"
},
{
"lessThan": "4.7.1.68",
"status": "affected",
"version": "4.7.1",
"versionType": "custom"
},
{
"lessThan": "4.8.1.39",
"status": "affected",
"version": "4.8.1",
"versionType": "custom"
},
{
"lessThan": "4.9.0.99",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "4.9.26.25",
"status": "affected",
"version": "4.9.26",
"versionType": "custom"
},
{
"lessThan": "4.9.27.10",
"status": "affected",
"version": "4.9.27",
"versionType": "custom"
},
{
"lessThan": "4.9.28.11",
"status": "affected",
"version": "4.9.28",
"versionType": "custom"
},
{
"lessThan": "4.10.9.66",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.10.42.9",
"status": "affected",
"version": "4.10.42",
"versionType": "custom"
},
{
"lessThan": "4.9.29",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"lessThan": "4.10.94",
"status": "affected",
"version": "4.10",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow",
"product": "org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.1.1.1",
"status": "affected",
"version": "5.1.1",
"versionType": "custom"
},
{
"lessThan": "5.1.2.1",
"status": "affected",
"version": "5.1.2",
"versionType": "custom"
},
{
"lessThan": "5.1.5.1",
"status": "affected",
"version": "5.1.5",
"versionType": "custom"
},
{
"lessThan": "5.3.3.1",
"status": "affected",
"version": "5.3.3",
"versionType": "custom"
},
{
"lessThan": "5.4.0.4",
"status": "affected",
"version": "5.4.0",
"versionType": "custom"
},
{
"lessThan": "5.4.1.5",
"status": "affected",
"version": "5.4.1",
"versionType": "custom"
},
{
"lessThan": "5.6.0.1",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.6.21",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "crnkovi\u0107"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.\u003cbr\u003e\u003cbr\u003eThis vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager\u0027s API Gateway remain unaffected.\u003cbr\u003e"
}
],
"value": "An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.\n\nThis vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager\u0027s API Gateway remain unaffected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "For WSO2 API Manager"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "For WSO2 Identity Server"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T12:33:45.426Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4503",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-9804",
"datePublished": "2025-10-16T12:33:45.426Z",
"dateReserved": "2025-09-01T13:11:12.678Z",
"dateUpdated": "2025-10-17T16:01:25.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10611 (GCVE-0-2025-10611)
Vulnerability from nvd – Published: 2025-10-16 12:09 – Updated: 2025-10-16 13:34
VLAI?
Summary
Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation.
Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.
Severity ?
9.8 (Critical)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 API Manager |
Unknown:
0 , < 2.1.0
(custom)
Affected: 2.1.0 , < 2.1.0.42 (custom) Affected: 2.2.0 , < 2.2.0.61 (custom) Affected: 2.5.0 , < 2.5.0.87 (custom) Affected: 2.6.0 , < 2.6.0.148 (custom) Affected: 3.0.0 , < 3.0.0.178 (custom) Affected: 3.1.0 , < 3.1.0.345 (custom) Affected: 3.2.0 , < 3.2.0.446 (custom) Affected: 3.2.1 , < 3.2.1.66 (custom) Affected: 4.0.0 , < 4.0.0.366 (custom) Affected: 4.1.0 , < 4.1.0.228 (custom) Affected: 4.2.0 , < 4.2.0.169 (custom) Affected: 4.3.0 , < 4.3.0.81 (custom) Affected: 4.4.0 , < 4.4.0.45 (custom) Affected: 4.5.0 , < 4.5.0.28 (custom) |
||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10611",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T13:24:33.931504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T13:34:31.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.1.0.42",
"status": "affected",
"version": "2.1.0",
"versionType": "custom"
},
{
"lessThan": "2.2.0.61",
"status": "affected",
"version": "2.2.0",
"versionType": "custom"
},
{
"lessThan": "2.5.0.87",
"status": "affected",
"version": "2.5.0",
"versionType": "custom"
},
{
"lessThan": "2.6.0.148",
"status": "affected",
"version": "2.6.0",
"versionType": "custom"
},
{
"lessThan": "3.0.0.178",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.345",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.446",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.66",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.366",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.228",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.169",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.81",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.45",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.28",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.29",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.4.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.4.0.141",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
},
{
"lessThan": "1.5.0.142",
"status": "affected",
"version": "1.5.0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.394",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.414",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.3.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.3.0.39",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
},
{
"lessThan": "5.5.0.54",
"status": "affected",
"version": "5.5.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.62",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
},
{
"lessThan": "5.7.0.128",
"status": "affected",
"version": "5.7.0",
"versionType": "custom"
},
{
"lessThan": "5.8.0.112",
"status": "affected",
"version": "5.8.0",
"versionType": "custom"
},
{
"lessThan": "5.9.0.171",
"status": "affected",
"version": "5.9.0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.375",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.419",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.248",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.248",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.124",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.1.0.31",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.3.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.3.0.44",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
},
{
"lessThan": "5.5.0.55",
"status": "affected",
"version": "5.5.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.77",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
},
{
"lessThan": "5.7.0.127",
"status": "affected",
"version": "5.7.0",
"versionType": "custom"
},
{
"lessThan": "5.9.0.178",
"status": "affected",
"version": "5.9.0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.365",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking KM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.4.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.4.0.135",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
},
{
"lessThan": "1.5.0.125",
"status": "affected",
"version": "1.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.27",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.27",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service",
"product": "org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.1.1.7",
"status": "affected",
"version": "1.1.1",
"versionType": "custom"
},
{
"lessThan": "1.1.16.6",
"status": "affected",
"version": "1.1.16",
"versionType": "custom"
},
{
"lessThan": "1.1.18.7",
"status": "affected",
"version": "1.1.18",
"versionType": "custom"
},
{
"lessThan": "1.1.20.9",
"status": "affected",
"version": "1.1.20",
"versionType": "custom"
},
{
"lessThan": "1.1.26.11",
"status": "affected",
"version": "1.1.26",
"versionType": "custom"
},
{
"lessThan": "1.3.6.11",
"status": "affected",
"version": "1.3.6",
"versionType": "custom"
},
{
"lessThan": "1.4.0.21",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
},
{
"lessThan": "1.4.25.27",
"status": "affected",
"version": "1.4.25",
"versionType": "custom"
},
{
"lessThan": "1.4.52.6",
"status": "affected",
"version": "1.4.52",
"versionType": "custom"
},
{
"lessThan": "1.6.1.12",
"status": "affected",
"version": "1.6.1",
"versionType": "custom"
},
{
"lessThan": "1.7.1.7",
"status": "affected",
"version": "1.7.1",
"versionType": "custom"
},
{
"lessThan": "1.8.11.8",
"status": "affected",
"version": "1.8.11",
"versionType": "custom"
},
{
"lessThan": "1.8.41.4",
"status": "affected",
"version": "1.8.41",
"versionType": "custom"
},
{
"lessThan": "1.9.4.9",
"status": "affected",
"version": "1.9.4",
"versionType": "custom"
},
{
"lessThan": "1.9.18.7",
"status": "affected",
"version": "1.9.18",
"versionType": "custom"
},
{
"lessThan": "1.8.48",
"status": "affected",
"version": "1.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "1.9.46",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve",
"product": "org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.1.1.7",
"status": "affected",
"version": "1.1.1",
"versionType": "custom"
},
{
"lessThan": "1.1.16.6",
"status": "affected",
"version": "1.1.16",
"versionType": "custom"
},
{
"lessThan": "1.1.18.7",
"status": "affected",
"version": "1.1.18",
"versionType": "custom"
},
{
"lessThan": "1.1.20.9",
"status": "affected",
"version": "1.1.20",
"versionType": "custom"
},
{
"lessThan": "1.1.26.11",
"status": "affected",
"version": "1.1.26",
"versionType": "custom"
},
{
"lessThan": "1.3.6.11",
"status": "affected",
"version": "1.3.6",
"versionType": "custom"
},
{
"lessThan": "1.4.0.21",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
},
{
"lessThan": "1.4.25.27",
"status": "affected",
"version": "1.4.25",
"versionType": "custom"
},
{
"lessThan": "1.4.52.6",
"status": "affected",
"version": "1.4.52",
"versionType": "custom"
},
{
"lessThan": "1.6.1.12",
"status": "affected",
"version": "1.6.1",
"versionType": "custom"
},
{
"lessThan": "1.7.1.7",
"status": "affected",
"version": "1.7.1",
"versionType": "custom"
},
{
"lessThan": "1.8.11.8",
"status": "affected",
"version": "1.8.11",
"versionType": "custom"
},
{
"lessThan": "1.8.41.4",
"status": "affected",
"version": "1.8.41",
"versionType": "custom"
},
{
"lessThan": "1.9.4.9",
"status": "affected",
"version": "1.9.4",
"versionType": "custom"
},
{
"lessThan": "1.9.18.7",
"status": "affected",
"version": "1.9.18",
"versionType": "custom"
},
{
"lessThan": "1.8.48",
"status": "affected",
"version": "1.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "1.9.46",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation.\u003cbr\u003e\u003cbr\u003eSuccessful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.\u003cbr\u003e"
}
],
"value": "Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation.\n\nSuccessful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T12:09:31.802Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4585",
"discovery": "INTERNAL"
},
"title": "Potential Broken Access Control in Multiple WSO2 Products via System REST APIs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-10611",
"datePublished": "2025-10-16T12:09:31.802Z",
"dateReserved": "2025-09-17T08:56:27.794Z",
"dateUpdated": "2025-10-16T13:34:31.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5717 (GCVE-0-2025-5717)
Vulnerability from nvd – Published: 2025-09-23 16:05 – Updated: 2025-10-31 15:06
VLAI?
Summary
An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution plan containing malicious Java code, resulting in arbitrary code execution on the server.
Exploitation of this vulnerability requires a valid user account with administrative privileges, limiting the attack surface to authenticated but potentially malicious users.
Severity ?
6.8 (Medium)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 API Manager |
Unknown:
0 , < 3.0.0
(custom)
Affected: 3.0.0 , < 3.0.0.174 (custom) Affected: 3.1.0 , < 3.1.0.330 (custom) Affected: 3.2.0 , < 3.2.0.426 (custom) Affected: 3.2.1 , < 3.2.1.46 (custom) Affected: 4.0.0 , < 4.0.0.344 (custom) Affected: 4.1.0 , < 4.1.0.208 (custom) Affected: 4.2.0 , < 4.2.0.147 (custom) Affected: 4.3.0 , < 4.3.0.59 (custom) Affected: 4.4.0 , < 4.4.0.22 (custom) Affected: 4.5.0 , < 4.5.0.6 (custom) |
||||||||||||||||||||||
|
||||||||||||||||||||||||
Credits
Noël MACCARY
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5717",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T18:31:28.992929Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T18:37:55.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.0.174",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.330",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.426",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.46",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.344",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.208",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.147",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.59",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.22",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.6",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.379",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.6",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.6",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.siddhi:siddhi-extension-eval-scriptApache",
"product": "Siddhi Extension Evaluate Scripts",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.2.6.8",
"status": "affected",
"version": "3.2.6",
"versionType": "custom"
},
{
"lessThan": "3.2.7.6",
"status": "affected",
"version": "3.2.7",
"versionType": "custom"
},
{
"lessThan": "3.2.8.3",
"status": "affected",
"version": "3.2.8",
"versionType": "custom"
},
{
"lessThan": "3.2.10.1",
"status": "affected",
"version": "3.2.10",
"versionType": "custom"
},
{
"lessThan": "3.2.13.2",
"status": "affected",
"version": "3.2.13",
"versionType": "custom"
},
{
"lessThan": "3.2.14.1",
"status": "affected",
"version": "3.2.14",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "3.2.15",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "No\u00ebl MACCARY"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution plan containing malicious Java code, resulting in arbitrary code execution on the server.\u003cbr\u003e\u003cbr\u003eExploitation of this vulnerability requires a valid user account with administrative privileges, limiting the attack surface to authenticated but potentially malicious users.\u003cbr\u003e"
}
],
"value": "An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution plan containing malicious Java code, resulting in arbitrary code execution on the server.\n\nExploitation of this vulnerability requires a valid user account with administrative privileges, limiting the attack surface to authenticated but potentially malicious users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T15:06:22.088Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4119/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4119/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4119/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4119/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4119/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4119",
"discovery": "EXTERNAL"
},
"title": "Authenticated Remote Code Execution in Multiple WSO2 Products via Event Processor Admin Service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-5717",
"datePublished": "2025-09-23T16:05:19.923Z",
"dateReserved": "2025-06-05T06:06:53.039Z",
"dateUpdated": "2025-10-31T15:06:22.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-3511 (GCVE-0-2024-3511)
Vulnerability from nvd – Published: 2025-06-23 08:47 – Updated: 2025-06-23 12:43
VLAI?
Summary
An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization.
Successful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance.
Severity ?
4.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 Enterprise Integrator |
Unknown:
0 , < 6.6.0
(custom)
Affected: 6.6.0 , < 6.6.0.205 (custom) |
||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
Credits
Viral Maniar - Security Researcher at Preemptive Cyber Security Pty Ltd
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3511",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-23T12:38:22.864048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-23T12:43:45.452Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.6.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.6.0.205",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.273",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.361",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.13",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.306",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.163",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.98",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.17",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.289",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.292",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.333",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.180",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.141",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.8",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.320",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.341",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon:org.wso2.carbon.user.core",
"product": "WSO2 Carbon User Manager Kernel",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.5",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
},
{
"lessThan": "4.5.3.35",
"status": "affected",
"version": "4.5.3",
"versionType": "custom"
},
{
"lessThan": "4.6.0.140",
"status": "affected",
"version": "4.6.0",
"versionType": "custom"
},
{
"lessThan": "4.6.1.107",
"status": "affected",
"version": "4.6.1",
"versionType": "custom"
},
{
"lessThan": "4.6.2.323",
"status": "affected",
"version": "4.6.2",
"versionType": "custom"
},
{
"lessThan": "4.6.3.18",
"status": "affected",
"version": "4.6.3",
"versionType": "custom"
},
{
"lessThan": "4.6.4.3",
"status": "affected",
"version": "4.6.4",
"versionType": "custom"
},
{
"lessThan": "4.7.1.47",
"status": "affected",
"version": "4.7.1",
"versionType": "custom"
},
{
"lessThan": "4.8.1.19",
"status": "affected",
"version": "4.8.1",
"versionType": "custom"
},
{
"lessThan": "4.9.0.52",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "4.9.26.10",
"status": "affected",
"version": "4.9.26",
"versionType": "custom"
},
{
"lessThan": "4.10.9.8",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.10.13",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Viral Maniar - Security Researcher at Preemptive Cyber Security Pty Ltd"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization.\u003cbr\u003e\u003cbr\u003eSuccessful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance.\u003cbr\u003e"
}
],
"value": "An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization.\n\nSuccessful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-23T08:47:55.266Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-2702/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-2702/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-2702/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-2702/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-2702/#solution"
}
],
"source": {
"advisory": "WSO2-2024-2702",
"discovery": "EXTERNAL"
},
"title": "Incorrect Authorization in Multiple WSO2 Products Allows Unauthorized Access to Registry Versioned Files",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2024-3511",
"datePublished": "2025-06-23T08:47:55.266Z",
"dateReserved": "2024-04-09T12:08:02.707Z",
"dateUpdated": "2025-06-23T12:43:45.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8008 (GCVE-0-2024-8008)
Vulnerability from nvd – Published: 2025-06-02 16:48 – Updated: 2025-10-21 05:53
VLAI?
Summary
A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page.
This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.
Severity ?
5.2 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 Enterprise Integrator |
Unknown:
0 , < 6.6.0
(custom)
Affected: 6.6.0 , < 6.6.0.211 (custom) |
|||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8008",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T17:05:11.526830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T17:05:24.975Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.6.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.6.0.211",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.305",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.396",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.28",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.313",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.182",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.121",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.32",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.1",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.16",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.321",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.328",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.374",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.216",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.201",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.69",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.374",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.354",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.16",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.17",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.16",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.identity.framework:org.wso2.carbon.identity.user.store.configuration.ui",
"product": "WSO2 Carbon Identity User Store Configuration UI",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.14.127.9",
"status": "affected",
"version": "5.14.127",
"versionType": "custom"
},
{
"lessThan": "5.17.5.289",
"status": "affected",
"version": "5.17.5",
"versionType": "custom"
},
{
"lessThan": "5.17.118.10",
"status": "affected",
"version": "5.17.118",
"versionType": "custom"
},
{
"lessThan": "5.18.187.276",
"status": "affected",
"version": "5.18.187",
"versionType": "custom"
},
{
"lessThan": "5.18.248.22",
"status": "affected",
"version": "5.18.248",
"versionType": "custom"
},
{
"lessThan": "5.23.8.193",
"status": "affected",
"version": "5.23.8",
"versionType": "custom"
},
{
"lessThan": "5.24.8.11",
"status": "affected",
"version": "5.24.8",
"versionType": "custom"
},
{
"lessThan": "5.25.92.104",
"status": "affected",
"version": "5.25.92",
"versionType": "custom"
},
{
"lessThan": "5.25.705.10",
"status": "affected",
"version": "5.25.705",
"versionType": "custom"
},
{
"lessThan": "5.25.713.1",
"status": "affected",
"version": "5.25.713",
"versionType": "custom"
},
{
"lessThan": "5.25.724.1",
"status": "affected",
"version": "5.25.724",
"versionType": "custom"
},
{
"lessThan": "7.0.78.46",
"status": "affected",
"version": "7.0.78",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.5.12",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page.\u003cbr\u003e\u003cbr\u003eThis vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible."
}
],
"value": "A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page.\n\nThis vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T05:53:02.275Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/#solution"
}
],
"source": {
"advisory": "WSO2-2024-3178",
"discovery": "INTERNAL"
},
"title": "Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products via JDBC User Store Connection Validation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2024-8008",
"datePublished": "2025-06-02T16:48:12.479Z",
"dateReserved": "2024-08-20T11:32:44.245Z",
"dateUpdated": "2025-10-21T05:53:02.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}