CVE-2025-9804 (GCVE-0-2025-9804)
Vulnerability from cvelistv5 – Published: 2025-10-16 12:33 – Updated: 2025-10-17 16:01
VLAI?
Summary
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.
This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
Severity ?
9.6 (Critical)
8.9 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WSO2 | WSO2 Identity Server as Key Manager |
Unknown:
0 , < 5.3.0
(custom)
Affected: 5.3.0 , < 5.3.0.41 (custom) Affected: 5.5.0 , < 5.5.0.53 (custom) Affected: 5.6.0 , < 5.6.0.75 (custom) Affected: 5.7.0 , < 5.7.0.125 (custom) Affected: 5.9.0 , < 5.9.0.176 (custom) Affected: 5.10.0 , < 5.10.0.359 (custom) |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
crnković
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9804",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T13:20:20.582589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-17T16:01:25.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.3.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.3.0.41",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
},
{
"lessThan": "5.5.0.53",
"status": "affected",
"version": "5.5.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.75",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
},
{
"lessThan": "5.7.0.125",
"status": "affected",
"version": "5.7.0",
"versionType": "custom"
},
{
"lessThan": "5.9.0.176",
"status": "affected",
"version": "5.9.0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.359",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.2.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.2.0.34",
"status": "affected",
"version": "5.2.0",
"versionType": "custom"
},
{
"lessThan": "5.3.0.36",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
},
{
"lessThan": "5.4.0.34",
"status": "affected",
"version": "5.4.0",
"versionType": "custom"
},
{
"lessThan": "5.4.1.38",
"status": "affected",
"version": "5.4.1",
"versionType": "custom"
},
{
"lessThan": "5.5.0.52",
"status": "affected",
"version": "5.5.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.60",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
},
{
"lessThan": "5.7.0.126",
"status": "affected",
"version": "5.7.0",
"versionType": "custom"
},
{
"lessThan": "5.8.0.110",
"status": "affected",
"version": "5.8.0",
"versionType": "custom"
},
{
"lessThan": "5.9.0.169",
"status": "affected",
"version": "5.9.0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.369",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.413",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.244",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.243",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.118",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.1.0.25",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking KM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.4.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.4.0.133",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
},
{
"lessThan": "1.5.0.123",
"status": "affected",
"version": "1.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.409",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking AM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.4.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.4.0.139",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
},
{
"lessThan": "1.5.0.140",
"status": "affected",
"version": "1.5.0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.389",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.31",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThan": "2.1.0.40",
"status": "affected",
"version": "2.1.0",
"versionType": "custom"
},
{
"lessThan": "2.2.0.59",
"status": "affected",
"version": "2.2.0",
"versionType": "custom"
},
{
"lessThan": "2.5.0.85",
"status": "affected",
"version": "2.5.0",
"versionType": "custom"
},
{
"lessThan": "2.6.0.146",
"status": "affected",
"version": "2.6.0",
"versionType": "custom"
},
{
"lessThan": "3.0.0.176",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.340",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.441",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.2.1.61",
"status": "affected",
"version": "3.2.1",
"versionType": "custom"
},
{
"lessThan": "4.0.0.361",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.0.224",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.2.0.162",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
},
{
"lessThan": "4.3.0.75",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
},
{
"lessThan": "4.4.0.39",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.5.0.23",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server Analytics",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.2.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.2.0.19",
"status": "affected",
"version": "5.2.0",
"versionType": "custom"
},
{
"lessThan": "5.3.0.17",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
},
{
"lessThan": "5.5.0.31",
"status": "affected",
"version": "5.5.0",
"versionType": "custom"
},
{
"lessThan": "5.6.0.38",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "API Manager Analytics",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.14",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThan": "2.1.0.19",
"status": "affected",
"version": "2.1.0",
"versionType": "custom"
},
{
"lessThan": "2.2.0.30",
"status": "affected",
"version": "2.2.0",
"versionType": "custom"
},
{
"lessThan": "2.5.0.39",
"status": "affected",
"version": "2.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Integrator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.2.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.2.0.62",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"lessThan": "6.3.0.70",
"status": "affected",
"version": "6.3.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Service Bus Analytics",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.0.0.13",
"status": "affected",
"version": "5.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Data Analytics Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.1.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.1.0.20",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.2.0.33",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Enterprise Mobility Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.2.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.2.0.28",
"status": "affected",
"version": "2.2.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Universal Gateway",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.22",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 API Control Plane",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.24",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Traffic Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.5.0.22",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector",
"product": "org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.10.1",
"status": "affected",
"version": "2.0.10",
"versionType": "custom"
},
{
"lessThan": "2.0.15.1",
"status": "affected",
"version": "2.0.15",
"versionType": "custom"
},
{
"lessThan": "2.0.21.1",
"status": "affected",
"version": "2.0.21",
"versionType": "custom"
},
{
"lessThan": "2.0.22.1",
"status": "affected",
"version": "2.0.22",
"versionType": "custom"
},
{
"lessThan": "2.1.12.1",
"status": "affected",
"version": "2.1.12",
"versionType": "custom"
},
{
"lessThan": "2.1.1972",
"status": "affected",
"version": "2.1",
"versionType": "custom"
},
{
"lessThan": "2.2.24",
"status": "affected",
"version": "2.2",
"versionType": "custom"
},
{
"lessThan": "2.2.25",
"status": "affected",
"version": "2.2",
"versionType": "custom"
},
{
"lessThan": "3.1.0.74",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.3.6.7",
"status": "affected",
"version": "3.3.6",
"versionType": "custom"
},
{
"lessThan": "3.3.26.2",
"status": "affected",
"version": "3.3.26",
"versionType": "custom"
},
{
"lessThan": "3.3.35.1",
"status": "affected",
"version": "3.3.35",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "3.3.41",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util",
"product": "org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util",
"vendor": "WSO2",
"versions": [
{
"lessThan": "6.7.206.567",
"status": "affected",
"version": "6.7.206",
"versionType": "custom"
},
{
"lessThan": "6.7.210.63",
"status": "affected",
"version": "6.7.210",
"versionType": "custom"
},
{
"lessThan": "9.0.174.522",
"status": "affected",
"version": "9.0.174",
"versionType": "custom"
},
{
"lessThan": "9.20.74.379",
"status": "affected",
"version": "9.20.74",
"versionType": "custom"
},
{
"lessThan": "9.28.116.360",
"status": "affected",
"version": "9.28.116",
"versionType": "custom"
},
{
"lessThan": "9.29.120.184",
"status": "affected",
"version": "9.29.120",
"versionType": "custom"
},
{
"lessThan": "9.30.67.109",
"status": "affected",
"version": "9.30.67",
"versionType": "custom"
},
{
"lessThan": "9.31.86.71",
"status": "affected",
"version": "9.31.86",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "9.32.133",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon:org.wso2.carbon.base",
"product": "org.wso2.carbon:org.wso2.carbon.base",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.4.7.6",
"status": "affected",
"version": "4.4.7",
"versionType": "custom"
},
{
"lessThan": "4.4.9.11",
"status": "affected",
"version": "4.4.9",
"versionType": "custom"
},
{
"lessThan": "4.4.11.9",
"status": "affected",
"version": "4.4.11",
"versionType": "custom"
},
{
"lessThan": "4.4.26.12",
"status": "affected",
"version": "4.4.26",
"versionType": "custom"
},
{
"lessThan": "4.4.35.44",
"status": "affected",
"version": "4.4.35",
"versionType": "custom"
},
{
"lessThan": "4.5.1.43",
"status": "affected",
"version": "4.5.1",
"versionType": "custom"
},
{
"lessThan": "4.6.0.1990",
"status": "affected",
"version": "4.6.0",
"versionType": "custom"
},
{
"lessThan": "4.6.1.149",
"status": "affected",
"version": "4.6.1",
"versionType": "custom"
},
{
"lessThan": "4.6.2.667",
"status": "affected",
"version": "4.6.2",
"versionType": "custom"
},
{
"lessThan": "4.6.3.36",
"status": "affected",
"version": "4.6.3",
"versionType": "custom"
},
{
"lessThan": "4.6.4.14",
"status": "affected",
"version": "4.6.4",
"versionType": "custom"
},
{
"lessThan": "4.7.1.68",
"status": "affected",
"version": "4.7.1",
"versionType": "custom"
},
{
"lessThan": "4.8.1.39",
"status": "affected",
"version": "4.8.1",
"versionType": "custom"
},
{
"lessThan": "4.9.0.99",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "4.9.26.25",
"status": "affected",
"version": "4.9.26",
"versionType": "custom"
},
{
"lessThan": "4.9.27.10",
"status": "affected",
"version": "4.9.27",
"versionType": "custom"
},
{
"lessThan": "4.9.28.11",
"status": "affected",
"version": "4.9.28",
"versionType": "custom"
},
{
"lessThan": "4.10.9.66",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.10.42.9",
"status": "affected",
"version": "4.10.42",
"versionType": "custom"
},
{
"lessThan": "4.9.29",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"lessThan": "4.10.94",
"status": "affected",
"version": "4.10",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt",
"product": "org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.2.0.4",
"status": "affected",
"version": "5.2.0",
"versionType": "custom"
},
{
"lessThan": "5.2.2.21",
"status": "affected",
"version": "5.2.2",
"versionType": "custom"
},
{
"lessThan": "5.7.5.18",
"status": "affected",
"version": "5.7.5",
"versionType": "custom"
},
{
"lessThan": "5.11.148.19",
"status": "affected",
"version": "5.11.148",
"versionType": "custom"
},
{
"lessThan": "5.11.256.21",
"status": "affected",
"version": "5.11.256",
"versionType": "custom"
},
{
"lessThan": "5.12.153.63",
"status": "affected",
"version": "5.12.153",
"versionType": "custom"
},
{
"lessThan": "5.12.387.46",
"status": "affected",
"version": "5.12.387",
"versionType": "custom"
},
{
"lessThan": "5.14.97.89",
"status": "affected",
"version": "5.14.97",
"versionType": "custom"
},
{
"lessThan": "5.17.5.317",
"status": "affected",
"version": "5.17.5",
"versionType": "custom"
},
{
"lessThan": "5.17.118.17",
"status": "affected",
"version": "5.17.118",
"versionType": "custom"
},
{
"lessThan": "5.18.187.309",
"status": "affected",
"version": "5.18.187",
"versionType": "custom"
},
{
"lessThan": "5.18.248.30",
"status": "affected",
"version": "5.18.248",
"versionType": "custom"
},
{
"lessThan": "5.23.8.207",
"status": "affected",
"version": "5.23.8",
"versionType": "custom"
},
{
"lessThan": "5.24.8.23",
"status": "affected",
"version": "5.24.8",
"versionType": "custom"
},
{
"lessThan": "5.25.92.152",
"status": "affected",
"version": "5.25.92",
"versionType": "custom"
},
{
"lessThan": "5.25.705.19",
"status": "affected",
"version": "5.25.705",
"versionType": "custom"
},
{
"lessThan": "5.25.713.9",
"status": "affected",
"version": "5.25.713",
"versionType": "custom"
},
{
"lessThan": "5.25.724.3",
"status": "affected",
"version": "5.25.724",
"versionType": "custom"
},
{
"lessThan": "7.0.78.133",
"status": "affected",
"version": "7.0.78",
"versionType": "custom"
},
{
"lessThan": "7.8.23.47",
"status": "affected",
"version": "7.8.23",
"versionType": "custom"
},
{
"lessThan": "5.25.734",
"status": "affected",
"version": "5.25",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.8.489",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon:org.wso2.carbon.server.admin",
"product": "org.wso2.carbon:org.wso2.carbon.server.admin",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.4.7.6",
"status": "affected",
"version": "4.4.7",
"versionType": "custom"
},
{
"lessThan": "4.4.9.11",
"status": "affected",
"version": "4.4.9",
"versionType": "custom"
},
{
"lessThan": "4.4.11.9",
"status": "affected",
"version": "4.4.11",
"versionType": "custom"
},
{
"lessThan": "4.4.26.12",
"status": "affected",
"version": "4.4.26",
"versionType": "custom"
},
{
"lessThan": "4.4.32.16",
"status": "affected",
"version": "4.4.32",
"versionType": "custom"
},
{
"lessThan": "4.4.35.44",
"status": "affected",
"version": "4.4.35",
"versionType": "custom"
},
{
"lessThan": "4.5.1.43",
"status": "affected",
"version": "4.5.1",
"versionType": "custom"
},
{
"lessThan": "4.6.0.1990",
"status": "affected",
"version": "4.6.0",
"versionType": "custom"
},
{
"lessThan": "4.6.1.149",
"status": "affected",
"version": "4.6.1",
"versionType": "custom"
},
{
"lessThan": "4.6.2.667",
"status": "affected",
"version": "4.6.2",
"versionType": "custom"
},
{
"lessThan": "4.6.3.36",
"status": "affected",
"version": "4.6.3",
"versionType": "custom"
},
{
"lessThan": "4.6.4.14",
"status": "affected",
"version": "4.6.4",
"versionType": "custom"
},
{
"lessThan": "4.7.1.68",
"status": "affected",
"version": "4.7.1",
"versionType": "custom"
},
{
"lessThan": "4.8.1.39",
"status": "affected",
"version": "4.8.1",
"versionType": "custom"
},
{
"lessThan": "4.9.0.99",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "4.9.26.25",
"status": "affected",
"version": "4.9.26",
"versionType": "custom"
},
{
"lessThan": "4.9.27.10",
"status": "affected",
"version": "4.9.27",
"versionType": "custom"
},
{
"lessThan": "4.9.28.11",
"status": "affected",
"version": "4.9.28",
"versionType": "custom"
},
{
"lessThan": "4.10.9.66",
"status": "affected",
"version": "4.10.9",
"versionType": "custom"
},
{
"lessThan": "4.10.42.9",
"status": "affected",
"version": "4.10.42",
"versionType": "custom"
},
{
"lessThan": "4.9.29",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"lessThan": "4.10.94",
"status": "affected",
"version": "4.10",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow",
"product": "org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.1.1.1",
"status": "affected",
"version": "5.1.1",
"versionType": "custom"
},
{
"lessThan": "5.1.2.1",
"status": "affected",
"version": "5.1.2",
"versionType": "custom"
},
{
"lessThan": "5.1.5.1",
"status": "affected",
"version": "5.1.5",
"versionType": "custom"
},
{
"lessThan": "5.3.3.1",
"status": "affected",
"version": "5.3.3",
"versionType": "custom"
},
{
"lessThan": "5.4.0.4",
"status": "affected",
"version": "5.4.0",
"versionType": "custom"
},
{
"lessThan": "5.4.1.5",
"status": "affected",
"version": "5.4.1",
"versionType": "custom"
},
{
"lessThan": "5.6.0.1",
"status": "affected",
"version": "5.6.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.6.21",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "crnkovi\u0107"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.\u003cbr\u003e\u003cbr\u003eThis vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager\u0027s API Gateway remain unaffected.\u003cbr\u003e"
}
],
"value": "An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.\n\nThis vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager\u0027s API Gateway remain unaffected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "For WSO2 API Manager"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "For WSO2 Identity Server"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T12:33:45.426Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution"
}
],
"source": {
"advisory": "WSO2-2025-4503",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2025-9804",
"datePublished": "2025-10-16T12:33:45.426Z",
"dateReserved": "2025-09-01T13:11:12.678Z",
"dateUpdated": "2025-10-17T16:01:25.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-9804\",\"sourceIdentifier\":\"ed10eef1-636d-4fbe-9993-6890dfa878f8\",\"published\":\"2025-10-16T13:15:42.130\",\"lastModified\":\"2025-11-21T21:40:09.890\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.\\n\\nThis vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager\u0027s API Gateway remain unaffected.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ed10eef1-636d-4fbe-9993-6890dfa878f8\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.6,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEEA7DB5-BBF7-44A4-9FB6-0D235A44C680\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C6D7E912-B0C4-4AD2-90CF-6355BA9DEEB0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:2.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"245D4EB1-F69D-4FAF-94DB-F4B3D3C20539\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6819491F-C6C3-41C1-B27A-0D0B62224977\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:2.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D57C8CF-084D-4142-9AF1-7C9F1261A3BD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BC168B6A-B15A-4C3B-A38D-C0B65F24F333\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8FF14774-8935-4FC9-B5C8-9771B3D6EBFD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1344FB79-0796-445C-A8F3-C03E995925D1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E31E32CD-497E-4EF5-B3FC-8718EE06EDAD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B58251E8-606B-47C8-8E50-9F9FC8C179BD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E21D7ABF-C328-425D-B914-618C7628220B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"51465410-6B7C-40FD-A1AB-A14F650A6AC8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"851470CC-22AB-43E4-9CC6-5E22D49B3572\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"9EBAB99E-6F0F-4CE9-A954-E8878826304C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"0B3E6207-B2CF-487C-9CB8-906248B665C9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"D47B760D-5418-4FB0-88F0-3F78BAFF63E1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager_analytics:2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2318B757-4BE3-4A45-9337-12281210964E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager_analytics:2.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2D5DF76F-1578-4C10-AB38-A01979302B3B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ADEAF56C-4583-40A6-826F-01AC86191AD7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"04A2A50A-872E-4CC7-BBB7-3E0956176AAC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:data_analytics_server:3.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"941D83A5-1978-49AE-890D-E31980E2D6AA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:data_analytics_server:3.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5CCDDFAB-C8FC-41C4-9872-667C442F119B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:enterprise_integrator:6.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"66292C25-B0B9-4FCE-9382-57B8F6BB814A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:enterprise_integrator:6.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"709DC7EA-18A6-4B83-84CB-F2499BEB5D2F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:enterprise_mobility_manager:2.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A9D6FCEF-7685-42DD-B322-AD87B5F37574\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:enterprise_service_bus:5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"236C44E3-FAB5-41F2-9884-D17944EBB468\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:5.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2689AF3E-01AA-4B79-BA55-6BB3D81E16CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:5.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0375C318-ECD2-4657-A0D7-4A0708266FBE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:5.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B9E7D773-A7CE-4AB8-828B-C2E7DC2799AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:5.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CEA63B98-D4B4-4FCD-A869-FE64BC21A1B6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8DA0050E-D5DD-45E5-9F61-DC1BB060EFF0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:5.6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"26542F95-73F3-4906-838E-A66F5DC9DFA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"60781FE4-38A3-4FEA-9D8B-CADE4B535974\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2B169832-A746-49A6-8E92-06624AA9B13A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"981D701D-E381-484A-9614-CD0EF0331071\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F4F126CA-A2F9-44F4-968B-DF71765869E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2153AECE-020A-4C01-B2A6-F9F5D98E7EBE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:6.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"32CE7893-AD1A-49E5-BD1A-5E9C2DEB8764\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:6.1.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"EA76533A-5BED-4BDC-B348-EB3D3FDFB110\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:7.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"C1EFBD0F-9664-4EF3-9908-C72B1318F68F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:7.1.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"A5358E6E-8C01-408D-8692-B1A326DC630F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server_analytics:5.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A1116722-BC4A-4127-9BF5-DB62760BD026\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server_analytics:5.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1AB6D32-5BD3-47F0-BDA8-3AEC1C24543F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"42BFE7A0-A168-4C1E-8725-41DD500C837E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server_analytics:5.6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5508EC5E-BEEA-49A7-BA2E-AEF40ECCB5C8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server_as_key_manager:5.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"104DBA04-538E-4CC5-9B6C-CFEDB40375AA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E4F0F121-700C-4D30-BAFC-960DCC56F08B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E5761F7-C287-4EC4-A899-C54FB4E80A35\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B184BFC-8E1A-4971-B6D2-C594742AB8CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EA51AC1B-0BF6-44F6-B034-CAD4F623DD76\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6BB34405-A2F1-461A-B51B-E103BB3680A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:open_banking_am:1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8CFB56F4-91D1-4FBF-842A-04BB117CAF85\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:open_banking_am:1.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"035BF3B3-1AB9-43BC-BB37-68843818EDEA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"94347800-04D2-48C4-ACF0-078A5ACBB063\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D7C241A3-8EA0-41E4-ABF3-21B9D8E7A5BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:open_banking_km:1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E53783F4-60C7-4A92-8951-F8FD51170670\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:open_banking_km:1.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"535EFD44-F81C-43B2-B595-81429468637F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C7413107-D7B2-49AE-AC46-52E7BFCD6ED8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"61636553-C25E-44DF-93D7-EB3E1056D1DC\"}]}]}],\"references\":[{\"url\":\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/\",\"source\":\"ed10eef1-636d-4fbe-9993-6890dfa878f8\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-9804\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-16T13:20:20.582589Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284 Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-16T13:21:20.748Z\"}}], \"cna\": {\"title\": \"Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs\", \"source\": {\"advisory\": \"WSO2-2025-4503\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"crnkovi\\u0107\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.6, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"For WSO2 API Manager\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.9, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"For WSO2 Identity Server\"}]}], \"affected\": [{\"vendor\": \"WSO2\", \"product\": \"WSO2 Identity Server as Key Manager\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"5.3.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.3.0\", \"lessThan\": \"5.3.0.41\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.5.0\", \"lessThan\": \"5.5.0.53\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.6.0\", \"lessThan\": \"5.6.0.75\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.7.0\", \"lessThan\": \"5.7.0.125\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.9.0\", \"lessThan\": \"5.9.0.176\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.10.0\", \"lessThan\": \"5.10.0.359\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Identity Server\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"5.2.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.2.0\", \"lessThan\": \"5.2.0.34\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.3.0\", \"lessThan\": \"5.3.0.36\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.4.0\", \"lessThan\": \"5.4.0.34\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.4.1\", \"lessThan\": \"5.4.1.38\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.5.0\", \"lessThan\": \"5.5.0.52\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.6.0\", \"lessThan\": \"5.6.0.60\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.7.0\", \"lessThan\": \"5.7.0.126\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.8.0\", \"lessThan\": \"5.8.0.110\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.9.0\", \"lessThan\": \"5.9.0.169\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.10.0\", \"lessThan\": \"5.10.0.369\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.11.0\", \"lessThan\": \"5.11.0.413\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"6.0.0\", \"lessThan\": \"6.0.0.244\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"6.1.0\", \"lessThan\": \"6.1.0.243\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.0.0\", \"lessThan\": \"7.0.0.118\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.1.0\", \"lessThan\": \"7.1.0.25\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Open Banking KM\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"1.4.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1.4.0\", \"lessThan\": \"1.4.0.133\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1.5.0\", \"lessThan\": \"1.5.0.123\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Open Banking IAM\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"2.0.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.0.0\", \"lessThan\": \"2.0.0.409\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Open Banking AM\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"1.4.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1.4.0\", \"lessThan\": \"1.4.0.139\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1.5.0\", \"lessThan\": \"1.5.0.140\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.0.0\", \"lessThan\": \"2.0.0.389\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 API Manager\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"2.0.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.0.0\", \"lessThan\": \"2.0.0.31\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.1.0\", \"lessThan\": \"2.1.0.40\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.2.0\", \"lessThan\": \"2.2.0.59\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.5.0\", \"lessThan\": \"2.5.0.85\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.6.0\", \"lessThan\": \"2.6.0.146\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"3.0.0.176\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.1.0\", \"lessThan\": \"3.1.0.340\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.2.0\", \"lessThan\": \"3.2.0.441\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.2.1\", \"lessThan\": \"3.2.1.61\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.0.0\", \"lessThan\": \"4.0.0.361\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.1.0\", \"lessThan\": \"4.1.0.224\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.2.0\", \"lessThan\": \"4.2.0.162\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.3.0\", \"lessThan\": \"4.3.0.75\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.4.0\", \"lessThan\": \"4.4.0.39\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.5.0\", \"lessThan\": \"4.5.0.23\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Identity Server Analytics\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"5.2.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.2.0\", \"lessThan\": \"5.2.0.19\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.3.0\", \"lessThan\": \"5.3.0.17\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.5.0\", \"lessThan\": \"5.5.0.31\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.6.0\", \"lessThan\": \"5.6.0.38\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"API Manager Analytics\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"2.0.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.0.0\", \"lessThan\": \"2.0.0.14\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.1.0\", \"lessThan\": \"2.1.0.19\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.2.0\", \"lessThan\": \"2.2.0.30\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.5.0\", \"lessThan\": \"2.5.0.39\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Enterprise Integrator\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"6.2.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"6.2.0\", \"lessThan\": \"6.2.0.62\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"6.3.0\", \"lessThan\": \"6.3.0.70\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Enterprise Service Bus Analytics\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"5.0.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.0.0\", \"lessThan\": \"5.0.0.13\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Data Analytics Server\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"3.1.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.1.0\", \"lessThan\": \"3.1.0.20\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.2.0\", \"lessThan\": \"3.2.0.33\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Enterprise Mobility Manager\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"2.2.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.2.0\", \"lessThan\": \"2.2.0.28\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Universal Gateway\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.5.0\", \"lessThan\": \"4.5.0.22\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 API Control Plane\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.5.0\", \"lessThan\": \"4.5.0.24\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Traffic Manager\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.5.0\", \"lessThan\": \"4.5.0.22\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0.10\", \"lessThan\": \"2.0.10.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.0.15\", \"lessThan\": \"2.0.15.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.0.21\", \"lessThan\": \"2.0.21.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.0.22\", \"lessThan\": \"2.0.22.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.1.12\", \"lessThan\": \"2.1.12.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.1\", \"lessThan\": \"2.1.1972\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.2\", \"lessThan\": \"2.2.24\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.2\", \"lessThan\": \"2.2.25\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.1.0\", \"lessThan\": \"3.1.0.74\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.3.6\", \"lessThan\": \"3.3.6.7\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.3.26\", \"lessThan\": \"3.3.26.2\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.3.35\", \"lessThan\": \"3.3.35.1\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"3.3.41\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"*\"}], \"packageName\": \"org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector\", \"defaultStatus\": \"unknown\"}, {\"vendor\": \"WSO2\", \"product\": \"org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.7.206\", \"lessThan\": \"6.7.206.567\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"6.7.210\", \"lessThan\": \"6.7.210.63\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"9.0.174\", \"lessThan\": \"9.0.174.522\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"9.20.74\", \"lessThan\": \"9.20.74.379\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"9.28.116\", \"lessThan\": \"9.28.116.360\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"9.29.120\", \"lessThan\": \"9.29.120.184\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"9.30.67\", \"lessThan\": \"9.30.67.109\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"9.31.86\", \"lessThan\": \"9.31.86.71\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"9.32.133\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"*\"}], \"packageName\": \"org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util\", \"defaultStatus\": \"unknown\"}, {\"vendor\": \"WSO2\", \"product\": \"org.wso2.carbon:org.wso2.carbon.base\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.4.7\", \"lessThan\": \"4.4.7.6\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.4.9\", \"lessThan\": \"4.4.9.11\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.4.11\", \"lessThan\": \"4.4.11.9\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.4.26\", \"lessThan\": \"4.4.26.12\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.4.35\", \"lessThan\": \"4.4.35.44\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.5.1\", \"lessThan\": \"4.5.1.43\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.6.0\", \"lessThan\": \"4.6.0.1990\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.6.1\", \"lessThan\": \"4.6.1.149\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.6.2\", \"lessThan\": \"4.6.2.667\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.6.3\", \"lessThan\": \"4.6.3.36\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.6.4\", \"lessThan\": \"4.6.4.14\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.7.1\", \"lessThan\": \"4.7.1.68\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.8.1\", \"lessThan\": \"4.8.1.39\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.9.0\", \"lessThan\": \"4.9.0.99\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.9.26\", \"lessThan\": \"4.9.26.25\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.9.27\", \"lessThan\": \"4.9.27.10\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.9.28\", \"lessThan\": \"4.9.28.11\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.10.9\", \"lessThan\": \"4.10.9.66\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.10.42\", \"lessThan\": \"4.10.42.9\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.9\", \"lessThan\": \"4.9.29\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.10\", \"lessThan\": \"4.10.94\", \"versionType\": \"custom\"}], \"packageName\": \"org.wso2.carbon:org.wso2.carbon.base\", \"defaultStatus\": \"unknown\"}, {\"vendor\": \"WSO2\", \"product\": \"org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.2.0\", \"lessThan\": \"5.2.0.4\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.2.2\", \"lessThan\": \"5.2.2.21\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.7.5\", \"lessThan\": \"5.7.5.18\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.11.148\", \"lessThan\": \"5.11.148.19\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.11.256\", \"lessThan\": \"5.11.256.21\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.12.153\", \"lessThan\": \"5.12.153.63\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.12.387\", \"lessThan\": \"5.12.387.46\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.14.97\", \"lessThan\": \"5.14.97.89\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.17.5\", \"lessThan\": \"5.17.5.317\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.17.118\", \"lessThan\": \"5.17.118.17\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.18.187\", \"lessThan\": \"5.18.187.309\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.18.248\", \"lessThan\": \"5.18.248.30\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.23.8\", \"lessThan\": \"5.23.8.207\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.24.8\", \"lessThan\": \"5.24.8.23\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.25.92\", \"lessThan\": \"5.25.92.152\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.25.705\", \"lessThan\": \"5.25.705.19\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.25.713\", \"lessThan\": \"5.25.713.9\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.25.724\", \"lessThan\": \"5.25.724.3\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.0.78\", \"lessThan\": \"7.0.78.133\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.8.23\", \"lessThan\": \"7.8.23.47\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.25\", \"lessThan\": \"5.25.734\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"7.8.489\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"*\"}], \"packageName\": \"org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt\", \"defaultStatus\": \"unknown\"}, {\"vendor\": \"WSO2\", \"product\": \"org.wso2.carbon:org.wso2.carbon.server.admin\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.4.7\", \"lessThan\": \"4.4.7.6\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.4.9\", \"lessThan\": \"4.4.9.11\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.4.11\", \"lessThan\": \"4.4.11.9\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.4.26\", \"lessThan\": \"4.4.26.12\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.4.32\", \"lessThan\": \"4.4.32.16\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.4.35\", \"lessThan\": \"4.4.35.44\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.5.1\", \"lessThan\": \"4.5.1.43\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.6.0\", \"lessThan\": \"4.6.0.1990\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.6.1\", \"lessThan\": \"4.6.1.149\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.6.2\", \"lessThan\": \"4.6.2.667\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.6.3\", \"lessThan\": \"4.6.3.36\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.6.4\", \"lessThan\": \"4.6.4.14\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.7.1\", \"lessThan\": \"4.7.1.68\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.8.1\", \"lessThan\": \"4.8.1.39\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.9.0\", \"lessThan\": \"4.9.0.99\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.9.26\", \"lessThan\": \"4.9.26.25\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.9.27\", \"lessThan\": \"4.9.27.10\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.9.28\", \"lessThan\": \"4.9.28.11\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.10.9\", \"lessThan\": \"4.10.9.66\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.10.42\", \"lessThan\": \"4.10.42.9\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.9\", \"lessThan\": \"4.9.29\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.10\", \"lessThan\": \"4.10.94\", \"versionType\": \"custom\"}], \"packageName\": \"org.wso2.carbon:org.wso2.carbon.server.admin\", \"defaultStatus\": \"unknown\"}, {\"vendor\": \"WSO2\", \"product\": \"org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.1.1\", \"lessThan\": \"5.1.1.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.1.2\", \"lessThan\": \"5.1.2.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.1.5\", \"lessThan\": \"5.1.5.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.3.3\", \"lessThan\": \"5.3.3.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.4.0\", \"lessThan\": \"5.4.0.4\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.4.1\", \"lessThan\": \"5.4.1.5\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.6.0\", \"lessThan\": \"5.6.0.1\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"5.6.21\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"*\"}], \"packageName\": \"org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow\", \"defaultStatus\": \"unknown\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: transparent;\\\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution\\\"\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.\\n\\nThis vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager\u0027s API Gateway remain unaffected.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.\u003cbr\u003e\u003cbr\u003eThis vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager\u0027s API Gateway remain unaffected.\u003cbr\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"ed10eef1-636d-4fbe-9993-6890dfa878f8\", \"shortName\": \"WSO2\", \"dateUpdated\": \"2025-10-16T12:33:45.426Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-9804\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-17T16:01:25.350Z\", \"dateReserved\": \"2025-09-01T13:11:12.678Z\", \"assignerOrgId\": \"ed10eef1-636d-4fbe-9993-6890dfa878f8\", \"datePublished\": \"2025-10-16T12:33:45.426Z\", \"assignerShortName\": \"WSO2\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…