8 matches found
CVE-2022-29464
CVE-2022-29464 is an unauthenticated, pre-auth arbitrary file upload in WSO2 products that enables remote code execution via a crafted POST to /fileupload. The vulnerability arises from directory traversal during upload, allowing JSPs to be placed under the webroot (e.g., repository/deployment/se...
CVE-2024-7097
WSO2 products are affected by an improper authorization vulnerability in the SOAP admin service that allows unauthenticated account creation regardless of self-registration configuration. Attackers can create arbitrary user accounts (potentially many), leading to unauthorized access and possible ...
CVE-2024-7073
CVE-2024-7073 describes a server-side request forgery (SSRF) in multiple WSO2 products caused by improper input validation in the SOAP admin/management services. The vulnerability allows unauthenticated attackers to trigger server-side requests to internal or external resources reachable by the a...
CVE-2024-7096
Summary: CVE-2024-7096 describes a privilege-escalation flaw in multiple WSO2 products arising from a business-logic weakness in SOAP admin services. An attacker can create a new user with elevated permissions when SOAP admin services are accessible, the deployment uses an internal attribute not ...
CVE-2024-6914
Affected products. WSO2 products (notably API Manager, Identity Server and related Open Banking variants) are affected by CVE-2024-6914 due to a business logic flaw in the account recovery-related SOAP admin service. Vulnerability and root cause. An incorrect authorization flow in the account rec...
CVE-2025-10611
CVE-2025-10611 describes an insufficient access-control implementation across multiple WSO2 Products, allowing bypass of authentication and authorization checks on certain REST APIs. This could let an unauthenticated actor invoke APIs and perform unauthenticated/unauthorized administrative operat...
CVE-2025-9312
CVE-2025-9312 relates to a missing authentication enforcement in WSO2 products’ mTLS implementation used by System REST APIs and SOAP services. The root cause is improper validation of client certificate–based authentication under certain default configurations, allowing unauthenticated requests ...
CVE-2025-9804
The CVE-2025-9804 entry concerns multiple WSO2 products (e.g., API Manager family) with an improper access-control flaw due to insufficient permission enforcement in internal SOAP Admin Services and System REST APIs. The root cause is limited access-control checks on internal interfaces, allowing...