79 matches found
CVE-2022-29464
CVE-2022-29464 is an unauthenticated, pre-auth arbitrary file upload in WSO2 products that enables remote code execution via a crafted POST to /fileupload. The vulnerability arises from directory traversal during upload, allowing JSPs to be placed under the webroot (e.g., repository/deployment/se...
CVE-2021-42646
CVE-2021-42646 is an XML External Entity (XXE) vulnerability in the file-based Service Provider Creation feature of the WSO2 Management Console. Affected: WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, 4.0.0; WSO2 Identity Server as Key Manager 5.7.0, 5.9.0, 5.10.0; WSO2 Identity Server 5.7.0, 5.8....
CVE-2022-29548
CVE-2022-29548 is a reflected Cross-Site Scripting (XSS) vulnerability in the WSO2 Management Console affecting API Manager and related products (e.g., API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0–3.2.0, 4.0.0; API Manager Analytics; API Microgateway; Data Analytics Server; Enterprise Integrator; IS as...
CVE-2025-2905
The CVE-2025-2905 entry describes an XML External Entity (XXE) vulnerability in the WSO2 API Manager gateway component due to insufficient validation of XML input. The issue allows unauthenticated remote attackers to read server filesystem files and perform denial-of-service (DoS) attacks. Affect...
CVE-2024-7097
WSO2 products are affected by an improper authorization vulnerability in the SOAP admin service that allows unauthenticated account creation regardless of self-registration configuration. Attackers can create arbitrary user accounts (potentially many), leading to unauthorized access and possible ...
CVE-2019-15108
CVE-2019-15108 affects WSO2 API Manager 2.6.0 (pre-4.4.0-4457 patch) due to an XSS vulnerability in the file-upload feature of the event simulator component triggered by a crafted filename. The impact is an XSS condition as described in sources. Remediation: apply WSO2-CARBON-PATCH-4.4.0-4457 to ...
CVE-2020-13883
CVE-2020-13883 affects WSO2 product family: WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier. The vulnerability is an XML External Entity (XXE) flaw in the Management Console during the addition or update of a Lifecycle. Connected sourc...
CVE-2020-24590
The CVE-2020-24590 entry affects the WSO2 API Manager Management Console (versions up to 3.1.0) and API Microgateway (2.2.0). It stems from XML Entity Expansion/XEE in the XML processing path, enabling attackers to cause denial of service or crash the system, with examples indicating unauthentica...
CVE-2020-12719
CVE-2020-12719 describes an XXE condition that can occur during an EventPublisher update in the Management Console of several WSO2 products. Affected products and versions include WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integ...
CVE-2024-2321
WSO2 CVE-2024-2321 involves an incorrect authorization vulnerability across multiple WSO2 products that allows API access using a refresh token instead of an access token due to inadequate authorization checks and token mapping. Connected sources corroborate the issue and note that exploitation r...
CVE-2020-17453
WSO2 Carbon Management Console
CVE-2020-24589
CVE-2020-24589 affects WSO2 API Manager up to 3.1.0 and API Microgateway 2.2.0 with XML External Entity (XXE) injection in the Management Console. The vulnerability arises from improper XML parsing, potentially allowing access to server files and interaction with backend systems. In practice, CVE...
CVE-2017-14651
Summary: CVE-2017-14651 affects WSO2 Data Analytics Server 3.1.0. The vulnerability is a cross-site scripting (XSS) flaw in carbon/resources/add_collection_ajaxprocessor.jsp, exploitable via the collectionName or parentPath parameters. Exploitation could cause injected scripts to run in a victim’...
CVE-2019-20434
WSO2 API Manager 2.6.0 is affected by a potential Reflected Cross-Site Scripting (XSS) vulnerability in the Datasource creation page of the Management Console. The issue arises from insufficient validation of client-side data in the web application, which could allow an attacker to execute client...
CVE-2024-8008
CVE-2024-8008 is a reflected Cross-Site Scripting (XSS) vulnerability in multiple WSO2 products caused by insufficient output encoding in error messages from the JDBC user store connection validation request. An attacker can craft a request payload that triggers JavaScript execution in the victim...
CVE-2019-20439
CVE-2019-20439 affects WSO2 API Manager 2.6.0. The issue is a potential reflected Cross-Site Scripting (XSS) in the scope definition feature of the API Publisher’s “manage the API” page. The publicly provided descriptions attribute this to insufficient validation of client-side data in the web ap...
CVE-2023-31664
The CVE-2023-31664 entry describes a reflected XSS in WSO2 API Manager prior to 4.2.0, exploitable via the tenantDomain parameter in /authenticationendpoint/login.do. Affected product is WSO2 API Manager; root cause is improper escaping/output handling of user-controlled input in tenantDomain, en...
CVE-2019-20435
WSO2 API Manager 2.6.0 contains a reflected XSS in the inline API documentation editor page of the API Publisher, exploitable via a crafted GET request with a harmful docName parameter. Root cause is insufficient input validation/escaping on docName leading to script execution in an attacker-cont...
CVE-2019-20436
Affected software: WSO2 API Manager 2.6.0; WSO2 IS as Key Manager 5.7.0; WSO2 Identity Server 5.8.0. Issue: configuring a claim dialect whose URI contains an XSS payload can cause execution when the URI is added as a service provider claim dialect during SP configuration, given the attacker has a...
CVE-2019-20442
Root cause: Stored Cross-Site Scripting (XSS) in the registry UI of WSO2 products. Affected: WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. The XSS vulnerability is reported in roleToAuthorize handling. Impact: potential exp...
CVE-2023-6837
CVE-2023-6837 concerns multiple WSO2 products where, under specific federated authentication and JIT provisioning configurations, an attacker could impersonate another user. The vulnerable setup requires: (1) an IDP configured for federated authentication with JIT provisioning enabled and the pro...
CVE-2024-7096
Summary: CVE-2024-7096 describes a privilege-escalation flaw in multiple WSO2 products arising from a business-logic weakness in SOAP admin services. An attacker can create a new user with elevated permissions when SOAP admin services are accessible, the deployment uses an internal attribute not ...
CVE-2023-6839
CVE-2023-6839 affects WSO2 API Manager. The issue stems from improper error handling in a REST API resource, which can cause server-side errors to disclose an internal WSO2-specific package name in the HTTP response. Documented impacts indicate confidentiality exposure (information disclosed via ...
CVE-2020-24591
The CVE concerns an XML External Entity (XXE) vulnerability in the Management Console of several WSO2 products during EventReceiver updates. Affected are API Manager up to 3.0.0; API Manager Analytics 2.2.0 and 2.5.0; API Microgateway 2.2.0; Enterprise Integrator 6.2.0 and 6.3.0; and Identity Ser...
CVE-2019-20437
CVE-2019-20437 affects WSO2 API Manager 2.6.0, WSO2 Identity Server 5.8.0, and WSO2 IS as Key Manager 5.7.0. A custom claim dialect with an XSS payload can execute when a user selects the dialect URI as the provisioning claim in the identity provider’s advanced claim configuration, provided the a...
CVE-2019-20438
CVE-2019-20438 affects WSO2 API Manager 2.6.0. The issue is a potential stored Cross-Site Scripting (XSS) vulnerability identified in the inline API documentation editor page of the API Publisher. The connected documents confirm the same description across multiple sources (NVD/Red Hat/NVD family...
CVE-2019-20443
CVE-2019-20443 affects WSO2 products: API Manager 2.6.0, Enterprise Integrator 6.5.0, Identity Server 5.8.0, and related Key Manager 5.7.0. The issue is a potential stored Cross-Site Scripting (XSS) in the registry UI due to improper handling of mediaType in the UI component. Impact described acr...
CVE-2023-6911
CVE-2023-6911 affects WSO2 products, with the root cause described as improper output encoding in the Registry feature of the Management Console, enabling a Stored Cross Site Scripting (XSS) payload injection. The issue is documented across multiple sources (including Red Hat, Veracode, GHSA/osv ...
CVE-2019-20440
The CVE-2019-20440 entry concerns WSO2 API Manager 2.6.0, describing a potential Reflected Cross-Site Scripting (XSS) vulnerability in the update API documentation feature of the API Publisher. All connected sources reiterate the same issue without providing concrete exploit details, affected sub...
CVE-2024-6914
Affected products. WSO2 products (notably API Manager, Identity Server and related Open Banking variants) are affected by CVE-2024-6914 due to a business logic flaw in the account recovery-related SOAP admin service. Vulnerability and root cause. An incorrect authorization flow in the account rec...
CVE-2019-20441
CVE-2019-20441 affects WSO2 API Manager 2.6.0, with a potential Stored Cross-Site Scripting (XSS) vulnerability in the API Publisher’s implement phase. Publicly documented details consistently describe the issue as a stored XSS in the publisher UI logic, but do not provide concrete exploit chains...
CVE-2024-3509
CVE-2024-3509 is a stored XSS in the Management Console of multiple WSO2 products caused by insufficient input validation in the Rich Text Editor within the registry section. Exploitation requires a valid admin account; a successful attack can inject persistent JavaScript payloads to exfiltrate d...
CVE-2019-6515
Technical details (affected products, components, impact, remediation) are not publicly available in the provided documents. Monitor for updates.
CVE-2020-13226
CVE-2020-13226: WSO2 API Manager 3.0.0 contains a SSRF vulnerability where outbound network access from a Publisher node is not properly restricted, allowing access to the intranet. The NVD entry notes a high base score (CVSSv3.1: 9.8, CRITICAL) with network access, low attack complexity, and no ...
CVE-2024-1440
CVE-2024-1440 describes an open redirection in multiple WSO2 products caused by improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A crafted link can redirect users to attacker-controlled sites, enabling phishing or similar soci...
CVE-2023-6836
CVE-2023-6836 refers to an XML External Entity (XXE) vulnerability affecting multiple WSO2 products (notably WSO2 API Manager). The underlying issue is an XML parser feature that can be abused to access sensitive information. The CVSS data in the initial document shows a high impact with network ...
CVE-2024-5848
CVE-2024-5848 is a reflected XSS in multiple WSO2 products caused by improper input validation. Attackers can inject malicious JavaScript via unsanitized user data echoed in server responses, potentially enabling UI manipulation, redirection to malicious sites, or browser data exfiltration. Docum...
CVE-2020-17454
CVE-2020-17454 affects WSO2 API Manager 3.1.0 and earlier. The vulnerability is a reflected XSS in the admin interface of the publisher component via the owner POST parameter, where input is not filtered and an injected payload can be rendered in a modal with an error message; it can also be expl...
CVE-2020-24703
CVE-2020-24703 affects multiple WSO2 products: API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0–...
CVE-2023-6835
WSO2 API Manager is identified as vulnerable due to lack of server-side input validation in the Forum feature, which could allow manipulation of API ratings. The issue is documented across multiple sources (including CVE-2023-6835 and related advisories) with no explicit exploit details provided ...
CVE-2020-24705
CVE-2020-24705 describes a session hijacking vulnerability in several WSO2 products where a valid Carbon Management Console session cookie can be sent to an attacker-controlled server after a crafted Try It request. Affected are WSO2 API Manager (through 3.1.0), API Manager Analytics (2.5.0), IS ...
CVE-2024-5962
CVE-2024-5962 is a reflected XSS in the authentication endpoint of multiple WSO2 products (e.g., WSO2 API Manager and WSO2 Identity Server) caused by missing output encoding of user input. The vulnerability can lead to arbitrary JavaScript execution in the authentication flow, potentially modifyi...
CVE-2020-24704
CVE-2020-24704 is a reflected XSS vulnerability affecting multiple WSO2 products (API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrator, IS as Key Manager, Identity Server/Analytics, and IoT Server) with versions listed in the Initial description. The ...
CVE-2020-24706
WSO2 advisory CVE-2020-24706 affects API Manager (through 3.1.0), API Manager Analytics (2.5.0), IS as Key Manager (through 5.10.0), Identity Server (through 5.10.0), Identity Server Analytics (through 5.6.0), and IoT Server (3.1.0). Root cause: Try It tool allows Reflected XSS. Impact: potential...
CVE-2019-6513
WSO2 API Manager 2.6.0 is affected by CVE-2019-6513: a logged-in user can upload, as API documentation, any type of file by changing its extension to an allowed one. This vulnerability is described across multiple sources (NVD, OSV, CVE records) with the same root issue. No explicit exploits, mit...
CVE-2021-36760
WSO2 Identity Server 5.7.0 contains a DOM-Based XSS in accountrecoveryendpoint/recoverpassword.do that manipulates the callback parameter in the URL before the callback is invoked. This can lead to execution of injected JavaScript after the username/password reset flow completes. The same endpoin...
CVE-2019-6512
WSO2 API Manager 2.6.0 is affected by an SSRF issue that can force the application to access internal resources via the file:// wrapper, enabling requests to internal/workstation hosts (port-scanning), neighboring systems (network scanning), or file enumeration. The root cause is the presence of ...
CVE-2020-27885
WSO2 API Manager 3.1.0 is affected by a Cross-Site Scripting (XSS) vulnerability. A malicious user can inject and execute script via the authenticationEndpointURL parameter in FileBasedConfigurationBuilder.java (readAuthenticationEndpointURL), enabling session hijacking by stealing cookies, which...
CVE-2023-6838
The CVE-2023-6838 entry describes a reflected Cross-Site Scripting vulnerability in the Authentication Endpoint of WSO2 API Manager. An attacker can tamper a request parameter to execute script in the context of a victim’s browser, with impact limited to confidentiality and integrity (per CVSS: L...
CVE-2018-20737
CVE-2018-20737 affects WSO2 API Manager 2.1.0 and 2.6.0 . The connected documents describe a Reflected XSS flaw in the product’s carbon component . The NVD record lists a Medium severity (CVSSv3.0 base score 5.4) with network access and requiring user interaction. No exploitation details are prov...