403 matches found
WSO2 - Cross-Site Scripting
WSO2 contains a reflected cross-site scripting vulnerability in the Management Console of API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0,...
CVE-2025-12624
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security...
CVE-2025-9973
Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within one organization ca...
CVE-2025-9973
Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within one organization ca...
CVE-2025-10470 Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows Service Unavailability
The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that...
CVE-2025-10470
CVE-2025-10470 affects WSO2 Identity Server's Magic Link authentication flow. The vulnerability arises because the flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, causing uncontrolled memory usage growth. This can lead to a denial-of-servi...
CVE-2025-10470 Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows Service Unavailability
The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that...
CVE-2025-9973
Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within one organization ca...
CVE-2025-9973 Authorization Bypass via Adaptive Authentication in WSO2 Identity Server Allows Cross-Organization Account Takeover
Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within one organization ca...
CVE-2025-9973 Authorization Bypass via Adaptive Authentication in WSO2 Identity Server Allows Cross-Organization Account Takeover
Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within one organization ca...
CVE-2025-9973
CVE-2025-9973 affects WS O2 Identity Server: failure to validate the organization context during adaptive authentication allows triggering authentication logic in other organizations/sub-organizations. This enables cross-organization authorization bypass, potentially leading to privilege escalati...
CVE-2025-10908
CVE-2025-10908 affects WSO2 Identity Server. The root cause is a lack of user account state validation during authentication, allowing locked accounts to be authenticated via Magic Link or Pass Key and bypass the account-lock mechanism. This can lead to unauthorized access to applications and dat...
CVE-2025-10908 Account Lock Bypass via Magic Link or Pass Key Authentication in WSO2 Identity Server Allows Unauthorized Access
Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow...
WSO2 Identity Server 资源管理错误漏洞
WSO2 Identity Server is an identity authentication server developed by the American company WSO2. There is a resource management vulnerability in WSO2 Identity Server. This vulnerability arises from accepting multiple invalid authentication requests without proper rate limiting or resource contro...
WSO2多款产品 安全漏洞
WSO2 Identity Server IS is a product of the American company WSO2. WSO2 Identity Server is an identity authentication server. WSO2 Identity Server as a Key Manager serves as an identity server. WSO2 Open Banking IAM is an identity and access management solution for the open banking sector. Severa...
WSO2 Identity Server 安全漏洞
WSO2 Identity Server is an identity authentication server developed by the American company WSO2. WSO2 Identity Server has a security vulnerability that stems from the lack of verification of user account status. This vulnerability may allow locked accounts to be successfully authenticated throug...
WSO2 Identity Server 访问控制错误漏洞
WSO2 Identity Server is an identity authentication server developed by the American company WSO2. WSO2 Identity Server has a control access vulnerability that arises from the lack of verification of organizational context during the execution of adaptive authentication processes. This vulnerabili...
CVE-2025-10503 Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 Identity Server
The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this...
CVE-2025-10503
WSO2 Identity Server: CVE-2025-10503 is a reflected cross-site scripting flaw in the authentication endpoint caused by insufficient output encoding for user-supplied input. This allows injection of malicious JavaScript payloads that can redirect users, alter the UI, or retrieve information from t...
WSO2 Identity Server 跨站脚本漏洞
WSO2 Identity Server is an identity authentication server developed by the American company WSO2. WSO2 Identity Server has a cross-site scripting vulnerability. This vulnerability arises from the fact that the authentication endpoint accepts user input without enforcing the expected verification...