CVE-2025-8325

The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x...

CVE-2025-0672 Authentication Bypass in Multiple WSO2 Products via Stale FIDO Credential Association

An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may...

The vulnerability of the WSO2 platform for integrating application programming interfaces, applications, and web services stems from incorrect restrictions on XML links to external objects. This allows attackers to carry out XXE attacks.

The vulnerability of the WSO2 platform for integrating application programming interfaces, applications, and web services is related to incorrect restrictions on XML links to external objects. Exploiting this vulnerability allows a malicious actor to perform XXE attacks remotely...

The vulnerability of the WSO2 platform for integrating application programming interfaces and web services lies in the ability to load any JSP file onto the server, which can be exploited by attackers.

The vulnerability of the WSO2 platform for integrating application programming interfaces and web services lies in the ability to load any JSP file onto the server. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...