Wso2
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Wso2 product.
RSS Feeds for Wso2 security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Wso2 products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Wso2 Sorted by Most Security Vulnerabilities since 2018
Known Exploited Wso2 Vulnerabilities
The following Wso2 vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| WSO2 Multiple Products Unrestrictive Upload of File Vulnerability |
Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution. CVE-2022-29464 Exploit Probability: 94.4% |
April 25, 2022 |
The vulnerability CVE-2022-29464: WSO2 Multiple Products Unrestrictive Upload of File Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.
By the Year
In 2026 there have been 9 vulnerabilities in Wso2 with an average score of 6.6 out of ten. Last year, in 2025 Wso2 had 30 security vulnerabilities published. Right now, Wso2 is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.01.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 9 | 6.64 |
| 2025 | 30 | 6.63 |
| 2024 | 0 | 0.00 |
| 2023 | 7 | 6.23 |
| 2022 | 8 | 7.40 |
| 2021 | 2 | 6.10 |
| 2020 | 27 | 6.86 |
| 2019 | 11 | 5.08 |
| 2018 | 1 | 5.40 |
It may take a day or so for new Wso2 vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Wso2 Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-12624 | Apr 16, 2026 |
WSO2 IS: Unrevoked Access Tokens on Account Lock (CVE-2025-12624)Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire. |
Wso2 Identity Server
|
| CVE-2025-6024 | Apr 16, 2026 |
WSO2 IS Auth Endpoint XSS via Unencoded User InputThe authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies. |
Api Manager
Identity Server
|
| CVE-2024-10242 | Apr 16, 2026 |
WSO2 Identity Server XSS via Auth Endpoint (CVE-2024-10242)The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser. Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking. |
Api Manager
|
| CVE-2024-8010 | Apr 16, 2026 |
XXE in WSO2 API Manager Publisher via XML inputThe component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product. |
Wso2 Api Manager
|
| CVE-2024-4867 | Apr 16, 2026 |
XSS in WSO2 API Manager Dev PortalThe WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag. |
Api Manager
|
| CVE-2024-2374 | Apr 16, 2026 |
WSO2 XML External Entity (XXE) In Parser VulnerabilityThe XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources. |
Wso2 Api Manager
Wso2 Identity Server
Wso2 Open Banking Am
And others... |
| CVE-2024-1524 | Feb 24, 2026 |
WSO2 IS Silent JIT Provisioning Vulnerability: Account OverwriteWhen the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted local user account with a federated IDP user account that they control. The Deployment should have: -An IDP configured for federated authentication with Silent JIT provisioning enabled. The malicious actor should have: -A fresh valid user account in the federated IDP that has not been used earlier. -Knowledge of the username of a valid user in the local IDP. -An account at the federated IDP matching the targeted local username. |
Wso2 Api Manager
Wso2 Identity Server
|
| CVE-2025-13590 | Feb 19, 2026 |
RCE via Arbitrary File Upload in REST API (Admin Privileges)A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload. |
Api Manager
Wso2 Api Control Plane
Wso2 Universal Gateway
And others... |
| CVE-2025-12107 | Feb 19, 2026 |
Velocity Templating RCE via Admin-Injected Template SyntaxDue to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information. |
Wso2 Identity Server
|
| CVE-2025-9312 | Nov 18, 2025 |
Authx Bypass in WSO2 Identity Server mTLS Auth FlowA missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificatebased authentication in certain default configurations, the affected components may permit unauthenticated requests even when mTLS is enabled. This condition occurs when relying on the default mTLS settings for System REST APIs or when the mTLS authenticator is enabled for SOAP services, causing these interfaces to accept requests without enforcing additional authentication. Successful exploitation allows a malicious actor with network access to the affected endpoints to gain administrative privileges and perform unauthorized operations. The vulnerability is exploitable only when the impacted mTLS flows are enabled and accessible in a given deployment. Other certificate-based authentication mechanisms such as Mutual TLS OAuth client authentication and X.509 login flows are not affected, and APIs served through the API Gateway of WSO2 API Manager remain unaffected. |
Wso2 Api Manager
Wso2 Api Control Plane
Wso2 Traffic Manager
And others... |
| CVE-2025-6670 | Nov 18, 2025 |
WSO2 Carbon Console CSRF via GET in Admin Service State-Changing OpsA Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows cookies to be sent with cross-origin top-level navigations using GET requests. A malicious actor can exploit this vulnerability by tricking an authenticated user into visiting a crafted link, leading the browser to issue unintended state-changing requests. Successful exploitation could result in unauthorized operations such as data modification, account changes, or other administrative actions. According to WSO2 Secure Production Guidelines, exposure of Carbon console services to untrusted networks is discouraged, which may reduce the impact in properly secured deployments. |
Wso2 Traffic Manager
Wso2 Universal Gateway
Wso2 Api Control Plane
And others... |
| CVE-2025-10853 | Nov 05, 2025 |
WSO2 Mgt Console Reflected XSS via Improper Output EncodingA reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking. |
Wso2 Open Banking Iam
Wso2 Api Manager
Wso2 Identity Server
And others... |
| CVE-2025-5770 | Nov 05, 2025 |
XSS in WSO2 Auth Endpoints via Unencoded OutputA reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks. Exploitation may result in redirection to malicious websites, UI manipulation, or unauthorized data access from the victims browser. However, session-related cookies are protected with the httpOnly flag, which mitigates session hijacking via this vector. |
Wso2 Identity Server
Wso2 Api Manager
Wso2 Api Control Plane
And others... |
| CVE-2025-11093 | Nov 05, 2025 |
Arbitrary Code Exec via Unrestricted GraalJS/NashornJS in WSO2 IntegratorsAn arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment. By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment. |
Wso2 Micro Integrator
Wso2 Api Manager
Wso2 Enterprise Integrator
And others... |
| CVE-2025-10907 | Nov 05, 2025 |
WSO2 Admin SOAP Services Arbitrary File Upload (RCE)An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment. Successful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services. |
Wso2 Api Manager
Wso2 Open Banking Iam
Wso2 Open Banking Am
And others... |
| CVE-2025-10713 | Nov 05, 2025 |
XXE Vulnerability in WSO2 XML ParserAn XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities. A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable. |
Wso2 Enterprise Integrator
Wso2 Api Control Plane
Wso2 Universal Gateway
And others... |
| CVE-2025-3125 | Nov 05, 2025 |
WSO2 Carbon AppUploader Authenticated File Upload Vulnerability (RCE)An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE). This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions. |
Wso2 Identity Server
Wso2 Enterprise Integrator
Wso2 Open Banking Iam
And others... |
| CVE-2025-5605 | Oct 24, 2025 |
WSO2 Management Console Auth Bypass via URI ManipulationAn authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure. The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details. |
Identity Server
Enterprise Integrator
Api Manager
And others... |
| CVE-2025-5350 | Oct 24, 2025 |
WSO2 Try-It SSRF & XSS in Deprecated Admin FeatureSSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user's browser context. By tricking an administrator into accessing a crafted link, an attacker could force the server to fetch malicious content and reflect it into the admins browser, leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. While session cookies are protected with the HttpOnly flag, the XSS still poses a significant security risk. Furthermore, SSRF can be used by a privileged user to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable from the affected product. |
Identity Server
Enterprise Integrator
Api Manager
And others... |
| CVE-2025-9152 | Oct 16, 2025 |
WSO2 API Manager Improper Privilege Management in DCR EndpointAn improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges, potentially leading to administrative access and the ability to perform unauthorized operations. |
Api Manager
|
| CVE-2025-9804 | Oct 16, 2025 |
WSO2 Internal Admin API Improper Access ControlAn improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected. |
Identity Server As Key Manager
Identity Server
Api Manager
And others... |
| CVE-2025-9955 | Oct 16, 2025 |
WSO2 EI Improper Access Control on Internal SOAP Admin ServicesAn improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details that are not intended to be exposed at that privilege level. While no credentials or sensitive user information are exposed, this vulnerability may allow unauthorized visibility into internal operational details, which could aid in further exploitation or reconnaissance. |
Enterprise Integrator
|
| CVE-2025-10611 | Oct 16, 2025 |
WSO2 API Manager REST API Access Control Bypass Unauth Admin OpsDue to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations. |
Api Manager
Identity Server
Identity Server As Key Manager
And others... |
| CVE-2025-1862 | Sep 26, 2025 |
WSO2 BPS File Upload RCE via BPEL Uploader SOAPAn arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL uploader SOAP service endpoint. A malicious actor with administrative privileges can upload arbitrary files to a user-controlled location on the server. By leveraging this vulnerability, an attacker can upload a specially crafted payload and achieve remote code execution (RCE), potentially compromising the server and its data. |
Enterprise Integrator
Identity Server
Identity Server As Key Manager
And others... |
| CVE-2025-1396 | Sep 26, 2025 |
WSO2 Multi-Attr Login username enumeration via distinct errorA username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validate_username setting. This behavior allows malicious actors to determine which usernames exist in the system based on observable discrepancies in the application's responses. Exploitation of this vulnerability could aid in brute-force attacks, targeted phishing campaigns, or other social engineering techniques by confirming the validity of user identifiers within the system. |
Identity Server
Identity Server As Key Manager
|
| CVE-2025-0672 | Sep 23, 2025 |
WSO2 Identity Server FIDO Auth Bypass Leads to User ImpersonationAn authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may associate the new account with the previously registered FIDO device. This flaw may allow a previously deleted user to authenticate using their FIDO credentials and impersonate the newly created user, resulting in unauthorized access. The vulnerability applies only to deployments that utilize FIDO-based authentication. |
Identity Server As Key Manager
Identity Server
|
| CVE-2025-0209 | Sep 23, 2025 |
WSO2 Identity Server Registration XSS ReflectedA reflected cross-site scripting (XSS) vulnerability exists in the account registration flow of WSO2 Identity Server due to improper output encoding. A malicious actor can exploit this vulnerability by injecting a crafted payload that is reflected in the server response, enabling the execution of arbitrary JavaScript in the victim's browser. This vulnerability could allow attackers to redirect users to malicious websites, modify the user interface, or exfiltrate data from the browser. However, session-related sensitive cookies are protected using the httpOnly flag, which mitigates the risk of session hijacking. |
Identity Server
|
| CVE-2025-0663 | Sep 23, 2025 |
WSO2 Cross-Tenant Auth Cookie Forgery via Shared KeyA cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single cryptographic key is used across all tenants to sign authentication cookies, allowing a privileged user in one tenant to forge authentication cookies for users in other tenants. Because the Auto-Login feature is enabled by default, this flaw may allow an attacker to gain unauthorized access and potentially take over accounts in other tenants. Successful exploitation requires access to Adaptive Authentication functionality, which is typically restricted to high-privileged users. The vulnerability is only exploitable when Auto-Login is enabled, reducing its practical impact in deployments where the feature is disabled. |
Identity Server As Key Manager
Identity Server
|
| CVE-2024-6429 | Sep 23, 2025 |
WSO2 IDS Content Spoofing via URL ParamsA content spoofing vulnerability exists in multiple WSO2 products due to improper error message handling. Under certain conditions, error messages are passed through URL parameters without validation, allowing malicious actors to inject arbitrary content into the UI. By exploiting this vulnerability, attackers can manipulate browser-displayed error messages, enabling social engineering attacks through deceptive or misleading content. |
Identity Server As Key Manager
Api Manager
Identity Server
And others... |
| CVE-2025-5717 | Sep 23, 2025 |
WSO2 Event Processor RCE via Siddhi Exec Plan InjectionAn authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution plan containing malicious Java code, resulting in arbitrary code execution on the server. Exploitation of this vulnerability requires a valid user account with administrative privileges, limiting the attack surface to authenticated but potentially malicious users. |
Api Manager
|
| CVE-2025-4760 | Sep 23, 2025 |
WSO2 API Manager × Authenticated Stored XSS in Publisher API Doc UploadAn authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users. A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking. |
Api Manager
|
| CVE-2024-4598 | Sep 23, 2025 |
WSO2 Integrator Mediator State Leakage via Improper IsolationAn information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from other mediation contexts because the internal state is not properly isolated or cleared between executions. This vulnerability does not impact user credentials or access tokens but may lead to leakage of sensitive business information handled during message flows. |
Api Manager
Micro Integrator
|
| CVE-2024-8008 | Jun 02, 2025 |
WSO2 Identity Server XSS via JDBC User Store Error OutputA reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible. |
Enterprise Integrator
Api Manager
Identity Server As Key Manager
And others... |
| CVE-2024-7096 | May 30, 2025 |
WSO2 IS Privilege Escalation via SOAP Admin Role InjectionA privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: * SOAP admin services are accessible to the attacker. * The deployment includes an internally used attribute that is not part of the default WSO2 product configuration. * At least one custom role exists with non-default permissions. * The attacker has knowledge of the custom role and the internal attribute used in the deployment. Exploiting this vulnerability allows malicious actors to assign higher privileges to self-registered users, bypassing intended access control mechanisms. |
Identity Server
Wso2 Open Banking Iam
Wso2 Open Banking Am
And others... |
| CVE-2024-6914 | May 22, 2025 |
WSO2 Account Recovery SOAP Admin Service Auth BypassAn incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account takeover, including accounts with elevated privileges. This vulnerability is exploitable only through the account recovery SOAP admin services exposed via the "/services" context path in affected products. The impact may be reduced if access to these endpoints has been restricted based on the "Security Guidelines for Production Deployment" by disabling exposure to untrusted networks. |
Identity Server
|
| CVE-2024-7487 | May 22, 2025 |
WSO2 Identity Server 7.0.0 Improper Auth: App-native Bypass with Invalid ObjectAn improper authentication vulnerability exists in WSO2 Identity Server 7.0.0 due to an implementation flaw that allows app-native authentication to be bypassed when an invalid object is passed. Exploitation of this vulnerability could enable malicious actors to circumvent the client verification mechanism, compromising the integrity of the authentication process. |
Identity Server
|
| CVE-2024-7103 | May 22, 2025 |
WSO2 Identity Server 7.0.0 Reflected XSS in sub-organization login flowA reflected cross-site scripting (XSS) vulnerability exists in the sub-organization login flow of WSO2 Identity Server 7.0.0 due to improper input validation. A malicious actor can exploit this vulnerability to inject arbitrary JavaScript into the login flow, potentially leading to UI modifications, redirections to malicious websites, or data exfiltration from the browser. While this issue could allow an attacker to manipulate the users browser, session-related sensitive cookies remain protected with the httpOnly flag, preventing session hijacking. |
Identity Server
|
| CVE-2025-2905 | May 05, 2025 |
XXE in WSO2 API Manager Gateway: Unauth Remote File Read & DoSDue to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: * Read sensitive files from the servers filesystem. * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable. |
Api Manager
Enterprise Integrator
Micro Integrator
And others... |
| CVE-2024-0392 | Feb 27, 2025 |
WSO2 EI 6.6 CSRF in Management ConsoleA Cross-Site Request Forgery (CSRF) vulnerability exists in the management console of WSO2 Enterprise Integrator 6.6.0 due to the absence of CSRF token validation. This flaw allows attackers to craft malicious requests that can trigger state-changing operations on behalf of an authenticated user, potentially compromising account settings and data integrity. The vulnerability only affects a limited set of state-changing operations, and successful exploitation requires social engineering to trick a user with access to the management console into performing the malicious action. |
Enterprise Integrator
|
| CVE-2023-6911 | Dec 18, 2023 |
WSO2 Management Console XSS via Registry Input Improper EncodingMultiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console. |
Api Manager
Api Manager Analytics
Api Microgateway
And others... |
| CVE-2023-6839 | Dec 15, 2023 |
WSO2 Identity Server REST API error exposes internal package nameDue to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response. |
Api Manager
Identity Server
|
| CVE-2023-6837 | Dec 15, 2023 |
WSO2 Identity Server JIT Provisioning User Impersonation VulnerabilityMultiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met: * An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option. * A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled. Attacker should have: * A fresh valid user account in the federated IDP that has not been used earlier. * Knowledge of the username of a valid user in the local IDP. When all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation. |
Api Manager
Identity Server
Identity Server As Key Manager
And others... |
| CVE-2023-6835 | Dec 15, 2023 |
WSO2 API Manager Forum Input Validation Flaw Allows Score Abuse (CVE-2023-6835)Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated. |
Api Manager
Iot Server
|
| CVE-2023-6836 | Dec 15, 2023 |
XXE Vulnerability in WSO2 Products Enables Sensitive Data DisclosureMultiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information. |
Api Manager
Api Manager Analytics
Api Microgateway
And others... |
| CVE-2023-6838 | Dec 15, 2023 |
XSS via Tampered Param in Authentication EndpointReflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests. |
Api Manager
Identity Server As Key Manager
Identity Server
And others... |
| CVE-2023-31664 | May 23, 2023 |
WSO2 API Manager <4.2.0 Reflected XSS in /authenticationendpoint/login.doA reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter. |
Api Manager
|
| CVE-2022-4520 | Dec 15, 2022 |
WSO2 carbon-registry 4.8.11 XSS in Advanced SearchA vulnerability was found in WSO2 carbon-registry up to 4.8.11. It has been rated as problematic. Affected by this issue is some unknown functionality of the file components/registry/org.wso2.carbon.registry.search.ui/src/main/resources/web/search/advancedSearchForm-ajaxprocessor.jsp of the component Advanced Search. The manipulation of the argument mediaType/rightOp/leftOp/rightPropertyValue/leftPropertyValue leads to cross site scripting. The attack may be launched remotely. Upgrading to version 4.8.12 is able to address this issue. The name of the patch is 0c827cc1b14b82d8eb86117ab2e43c34bb91ddb4. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215900. |
Carbon Registry
|
| CVE-2022-4521 | Dec 15, 2022 |
WSO2 Carbon-Registry XSS in Request Parameter Handler before 4.8.7A vulnerability classified as problematic has been found in WSO2 carbon-registry up to 4.8.6. This affects an unknown part of the component Request Parameter Handler. The manipulation of the argument parentPath/path/username/path/profile_menu leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 4.8.7 is able to address this issue. The name of the patch is 9f967abfde9317bee2cda469dbc09b57d539f2cc. It is recommended to upgrade the affected component. The identifier VDB-215901 was assigned to this vulnerability. |
Carbon Registry
|
| CVE-2022-0143 | Sep 19, 2022 |
WSO2 IDM LDAP Connector Unauthenticated Access via StartTLS <1.5.20.9When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. This issue affects: all versions of the LDAP connector prior to 1.5.20.9. The LDAP connector is bundled with Identity Management (IDM) and Remote Connector Server (RCS) |
Identity Server
|
| CVE-2022-39810 | Sep 09, 2022 |
WSO2 EI 6.4.0 Reflected XSS in ajaxprocessor.jspAn issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/ndatasource/validateconnection/ajaxprocessor.jsp via the driver parameter. Session hijacking or similar attacks would not be possible. |
Enterprise Integrator
|