21 matches found
CVE-2025-10907
CVE-2025-10907 describes an arbitrary file upload vulnerability in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a crafted file to a user-controlled location within the ...
EUVD-2025-34752
An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details tha...
EUVD-2025-34754
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level...
CVE-2025-9955
An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details tha...
CVE-2025-9804
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level...
CVE-2025-9804
The CVE-2025-9804 entry concerns multiple WSO2 products (e.g., API Manager family) with an improper access-control flaw due to insufficient permission enforcement in internal SOAP Admin Services and System REST APIs. The root cause is limited access-control checks on internal interfaces, allowing...
CVE-2025-9955 Improper Access Control in WSO2 Enterprise Integrator Product via SOAP Admin Services for Logs and User-Store Configuration
An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details tha...
EUVD-2024-54612
Malicious code in bioql PyPI...
Privilege Escalation
org.wso2.am, am-parent, org.wso2.is, identity-server-parent are vulnerable to privilege escalation. The vulnerability is due to improper validation and access control in the SOAP admin services, which allows attackers to assign elevated privileges to self-registered users under specific deploymen...
CVE-2024-7074
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server. By leveraging this vulnerability, an...
CVE-2024-7074 Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Service Leading to Remote Code Execution
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server. By leveraging this vulnerability, an...
CVE-2024-7073 Unauthenticated Server-Side Request Forgery (SSRF) in Multiple WSO2 Products via SOAP Admin Services
A server-side request forgery SSRF vulnerability exists in multiple WSO2 products due to improper input validation in SOAP admin services. This flaw allows unauthenticated attackers to manipulate server-side requests, enabling access to internal and external resources available through the networ...
WSO2 products vulnerable to privilege escalation due to business logic flaw in SOAP admin services
A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: SOAP admin services are accessible to the attacker. The...
Incorrect Authorization
Overview org.wso2.is:identity-server-parent is an open source Identity and Access Management solution federating and managing identities across both enterprise and cloud service environments. Affected versions of this package are vulnerable to Incorrect Authorization due to a business logic flaw ...
Incorrect Authorization
Overview org.wso2.am:am-parent is a WSO2 API Manager - Aggregator Module Affected versions of this package are vulnerable to Incorrect Authorization due to a business logic flaw in SOAP admin services. An attacker can create a new user with elevated permissions by exploiting accessible SOAP admin...
GHSA-J63J-7R7R-5V4J WSO2 products vulnerable to privilege escalation due to business logic flaw in SOAP admin services
A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: SOAP admin services are accessible to the attacker. The...
CVE-2024-7096
A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: SOAP admin services are accessible to the attacker. The...
CVE-2024-7096
A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: SOAP admin services are accessible to the attacker. The...
CVE-2024-7096 Privilege Escalation in Multiple WSO2 Products via SOAP Admin Service Due to Business Logic Flaw
A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: SOAP admin services are accessible to the attacker. The...
CVE-2024-7096
Summary: CVE-2024-7096 describes a privilege-escalation flaw in multiple WSO2 products arising from a business-logic weakness in SOAP admin services. An attacker can create a new user with elevated permissions when SOAP admin services are accessible, the deployment uses an internal attribute not ...