Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for WSO2 Enterprise Service Bus by WSO2

    CVE-2025-9955 (GCVE-0-2025-9955)

    Vulnerability from nvd – Published: 2025-10-16 12:14 – Updated: 2025-10-16 13:29
    VLAI
    Title
    Improper Access Control in WSO2 Enterprise Integrator Product via SOAP Admin Services for Logs and User-Store Configuration
    Summary
    An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details that are not intended to be exposed at that privilege level. While no credentials or sensitive user information are exposed, this vulnerability may allow unauthorized visibility into internal operational details, which could aid in further exploitation or reconnaissance.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    WSO2 WSO2 Enterprise Integrator Unknown: 0 , < 6.0.0 (custom)
    Affected: 6.0.0 , < 6.0.0.22 (custom)
    Affected: 6.1.0 , < 6.1.0.39 (custom)
    Affected: 6.1.1 , < 6.1.1.43 (custom)
    Affected: 6.2.0 , < 6.2.0.62 (custom)
    Affected: 6.3.0 , < 6.3.0.70 (custom)
    Affected: 6.4.0 , < 6.4.0.100 (custom)
    Affected: 6.5.0 , < 6.5.0.107 (custom)
    Affected: 6.6.0 , < 6.6.0.222 (custom)
    Create a notification for this product.
    WSO2 WSO2 Enterprise Service Bus Unknown: 0 , < 5.0.0 (custom)
    Affected: 5.0.0 , < 5.0.0.29 (custom)
    Create a notification for this product.
    WSO2 org.wso2.carbon:org.wso2.carbon.base Affected: 4.4.8 , < 4.4.8.7 (custom)
    Affected: 4.4.14 , < 4.4.14.5 (custom)
    Affected: 4.4.16 , < 4.4.16.9 (custom)
    Affected: 4.4.26 , < 4.4.26.13 (custom)
    Affected: 4.4.32 , < 4.4.32.16 (custom)
    Affected: 4.4.36 , < 4.4.36.7 (custom)
    Affected: 4.4.40 , < 4.4.40.37 (custom)
    Affected: 4.5.3 , < 4.5.3.45 (custom)
    Affected: 4.9 , < 4.9.29 (custom)
    Affected: 4.10 , < 4.10.94 (custom)
    Create a notification for this product.
    WSO2 org.wso2.carbon:org.wso2.carbon.server.admin Affected: 4.4.8 , < 4.4.8.7 (custom)
    Affected: 4.4.14 , < 4.4.14.5 (custom)
    Affected: 4.4.16 , < 4.4.16.9 (custom)
    Affected: 4.4.26 , < 4.4.26.13 (custom)
    Affected: 4.4.32 , < 4.4.32.16 (custom)
    Affected: 4.4.36 , < 4.4.36.7 (custom)
    Affected: 4.4.40 , < 4.4.40.37 (custom)
    Affected: 4.5.3 , < 4.5.3.45 (custom)
    Affected: 4.9 , < 4.9.29 (custom)
    Affected: 4.10 , < 4.10.94 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9955",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-16T13:23:25.309685Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-863",
                    "description": "CWE-863 Incorrect Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-16T13:29:14.882Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Enterprise Integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "6.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.0.0.22",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.1.0.39",
                  "status": "affected",
                  "version": "6.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.1.1.43",
                  "status": "affected",
                  "version": "6.1.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.2.0.62",
                  "status": "affected",
                  "version": "6.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.3.0.70",
                  "status": "affected",
                  "version": "6.3.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.4.0.100",
                  "status": "affected",
                  "version": "6.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.5.0.107",
                  "status": "affected",
                  "version": "6.5.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.6.0.222",
                  "status": "affected",
                  "version": "6.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Enterprise Service Bus",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "5.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.0.0.29",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "packageName": "org.wso2.carbon:org.wso2.carbon.base",
              "product": "org.wso2.carbon:org.wso2.carbon.base",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.4.8.7",
                  "status": "affected",
                  "version": "4.4.8",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.14.5",
                  "status": "affected",
                  "version": "4.4.14",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.16.9",
                  "status": "affected",
                  "version": "4.4.16",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.26.13",
                  "status": "affected",
                  "version": "4.4.26",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.32.16",
                  "status": "affected",
                  "version": "4.4.32",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.36.7",
                  "status": "affected",
                  "version": "4.4.36",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.40.37",
                  "status": "affected",
                  "version": "4.4.40",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.5.3.45",
                  "status": "affected",
                  "version": "4.5.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.9.29",
                  "status": "affected",
                  "version": "4.9",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.10.94",
                  "status": "affected",
                  "version": "4.10",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "packageName": "org.wso2.carbon:org.wso2.carbon.server.admin",
              "product": "org.wso2.carbon:org.wso2.carbon.server.admin",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.4.8.7",
                  "status": "affected",
                  "version": "4.4.8",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.14.5",
                  "status": "affected",
                  "version": "4.4.14",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.16.9",
                  "status": "affected",
                  "version": "4.4.16",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.26.13",
                  "status": "affected",
                  "version": "4.4.26",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.32.16",
                  "status": "affected",
                  "version": "4.4.32",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.36.7",
                  "status": "affected",
                  "version": "4.4.36",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.40.37",
                  "status": "affected",
                  "version": "4.4.40",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.5.3.45",
                  "status": "affected",
                  "version": "4.5.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.9.29",
                  "status": "affected",
                  "version": "4.9",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.10.94",
                  "status": "affected",
                  "version": "4.10",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details that are not intended to be exposed at that privilege level.\u003cbr\u003e\u003cbr\u003eWhile no credentials or sensitive user information are exposed, this vulnerability may allow unauthorized visibility into internal operational details, which could aid in further exploitation or reconnaissance.\u003cbr\u003e"
                }
              ],
              "value": "An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details that are not intended to be exposed at that privilege level.\n\nWhile no credentials or sensitive user information are exposed, this vulnerability may allow unauthorized visibility into internal operational details, which could aid in further exploitation or reconnaissance."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-16T12:14:56.477Z",
            "orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
            "shortName": "WSO2"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4526/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4526/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4526/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
                }
              ],
              "value": "Follow the instructions given on  https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4526/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4526/#solution"
            }
          ],
          "source": {
            "advisory": "WSO2-2025-4526",
            "discovery": "INTERNAL"
          },
          "title": "Improper Access Control in WSO2 Enterprise Integrator Product via SOAP Admin Services for Logs and User-Store Configuration",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
        "assignerShortName": "WSO2",
        "cveId": "CVE-2025-9955",
        "datePublished": "2025-10-16T12:14:56.477Z",
        "dateReserved": "2025-09-03T15:10:08.622Z",
        "dateUpdated": "2025-10-16T13:29:14.882Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7074 (GCVE-0-2024-7074)

    Vulnerability from nvd – Published: 2025-06-02 16:42 – Updated: 2025-06-02 17:05
    VLAI
    Title
    Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Service Leading to Remote Code Execution
    Summary
    An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server. By leveraging this vulnerability, an attacker could upload a specially crafted payload, potentially achieving remote code execution (RCE) on the server. Exploitation requires valid admin credentials, limiting its impact to authorized but potentially malicious users.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    WSO2 WSO2 Enterprise Integrator Unknown: 0 , < 6.0.0 (custom)
    Affected: 6.0.0 , < 6.0.0.21 (custom)
    Affected: 6.1.0 , < 6.1.0.38 (custom)
    Affected: 6.1.1 , < 6.1.1.42 (custom)
    Affected: 6.2.0 , < 6.2.0.61 (custom)
    Affected: 6.3.0 , < 6.3.0.69 (custom)
    Affected: 6.4.0 , < 6.4.0.96 (custom)
    Affected: 6.5.0 , < 6.5.0.102 (custom)
    Affected: 6.6.0 , < 6.6.0.198 (custom)
    Create a notification for this product.
    WSO2 WSO2 API Manager Unknown: 0 , < 2.0.0 (custom)
    Affected: 2.0.0 , < 2.0.0.28 (custom)
    Affected: 2.1.0 , < 2.1.0.38 (custom)
    Affected: 2.2.0 , < 2.2.0.57 (custom)
    Affected: 2.5.0 , < 2.5.0.83 (custom)
    Affected: 2.6.0 , < 2.6.0.143 (custom)
    Affected: 3.0.0 , < 3.0.0.162 (custom)
    Affected: 3.1.0 , < 3.1.0.293 (custom)
    Affected: 3.2.0 , < 3.2.0.384 (custom)
    Affected: 3.2.1 , < 3.2.1.16 (custom)
    Affected: 4.0.0 , < 4.0.0.305 (custom)
    Affected: 4.1.0 , < 4.1.0.166 (custom)
    Affected: 4.2.0 , < 4.2.0.100 (custom)
    Affected: 4.3.0 , < 4.3.0.16 (custom)
    Create a notification for this product.
    WSO2 WSO2 Enterprise Service Bus Affected: 4.9.0 , < 4.9.0.10 (custom)
    Affected: 5.0.0 , < 5.0.0.28 (custom)
    Create a notification for this product.
    WSO2 WSO2 Enterprise Mobility Manager Affected: 2.2.0 , < 2.2.0.27 (custom)
    Create a notification for this product.
    WSO2 WSO2 Micro Integrator Unknown: 0 , < 1.0.0 (custom)
    Affected: 1.0.0 , < 1.0.0.49 (custom)
    Create a notification for this product.
    WSO2 WSO2 Open Banking AM Unknown: 0 , < 1.3.0 (custom)
    Affected: 1.3.0 , < 1.3.0.132 (custom)
    Affected: 1.4.0 , < 1.4.0.135 (custom)
    Affected: 1.5.0 , < 1.5.0.137 (custom)
    Affected: 2.0.0 , < 2.0.0.342 (custom)
    Create a notification for this product.
    WSO2 WSO2 Carbon Synapse Artifact Uploader BE Affected: 4.4.10 , < 4.4.10.3 (custom)
    Affected: 4.6.1 , < 4.6.1.4 (custom)
    Affected: 4.6.6 , < 4.6.6.9 (custom)
    Affected: 4.6.10 , < 4.6.10.4 (custom)
    Affected: 4.6.16 , < 4.6.16.2 (custom)
    Affected: 4.6.19 , < 4.6.19.10 (custom)
    Affected: 4.6.64 , < 4.6.64.2 (custom)
    Affected: 4.6.67 , < 4.6.67.15 (custom)
    Affected: 4.6.89 , < 4.6.89.12 (custom)
    Affected: 4.6.105 , < 4.6.105.59 (custom)
    Affected: 4.6.150 , < 4.6.150.11 (custom)
    Affected: 4.7.20 , < 4.7.20.5 (custom)
    Affected: 4.7.30 , < 4.7.30.42 (custom)
    Affected: 4.7.35 , < 4.7.35.5 (custom)
    Affected: 4.7.61 , < 4.7.61.56 (custom)
    Affected: 4.7.99 , < 4.7.99.299 (custom)
    Affected: 4.7.131 , < 4.7.131.15 (custom)
    Affected: 4.7.175 , < 4.7.175.18 (custom)
    Affected: 4.7.188 , < 4.7.188.5 (custom)
    Affected: 4.7.204 , < 4.7.204.5 (custom)
    Unaffected: 4.7.216 , ≤ * (custom)
    Create a notification for this product.
    Credits
    Anonymous working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7074",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-02T17:04:40.480620Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-02T17:05:49.920Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Enterprise Integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "6.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.0.0.21",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.1.0.38",
                  "status": "affected",
                  "version": "6.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.1.1.42",
                  "status": "affected",
                  "version": "6.1.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.2.0.61",
                  "status": "affected",
                  "version": "6.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.3.0.69",
                  "status": "affected",
                  "version": "6.3.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.4.0.96",
                  "status": "affected",
                  "version": "6.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.5.0.102",
                  "status": "affected",
                  "version": "6.5.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.6.0.198",
                  "status": "affected",
                  "version": "6.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 API Manager",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0.0.28",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.0.38",
                  "status": "affected",
                  "version": "2.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.2.0.57",
                  "status": "affected",
                  "version": "2.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.5.0.83",
                  "status": "affected",
                  "version": "2.5.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.6.0.143",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.0.0.162",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.1.0.293",
                  "status": "affected",
                  "version": "3.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.2.0.384",
                  "status": "affected",
                  "version": "3.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.2.1.16",
                  "status": "affected",
                  "version": "3.2.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.305",
                  "status": "affected",
                  "version": "4.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1.0.166",
                  "status": "affected",
                  "version": "4.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.2.0.100",
                  "status": "affected",
                  "version": "4.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.3.0.16",
                  "status": "affected",
                  "version": "4.3.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "WSO2 Enterprise Service Bus",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.9.0.10",
                  "status": "affected",
                  "version": "4.9.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.0.0.28",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "WSO2 Enterprise Mobility Manager",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.2.0.27",
                  "status": "affected",
                  "version": "2.2.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Micro Integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "1.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.0.0.49",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Open Banking AM",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "1.3.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.3.0.132",
                  "status": "affected",
                  "version": "1.3.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.4.0.135",
                  "status": "affected",
                  "version": "1.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.5.0.137",
                  "status": "affected",
                  "version": "1.5.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0.0.342",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "packageName": "org.wso2.carbon.mediation:org.wso2.carbon.mediation.artifactuploader",
              "product": "WSO2 Carbon Synapse Artifact Uploader BE",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.4.10.3",
                  "status": "affected",
                  "version": "4.4.10",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.1.4",
                  "status": "affected",
                  "version": "4.6.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.6.9",
                  "status": "affected",
                  "version": "4.6.6",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.10.4",
                  "status": "affected",
                  "version": "4.6.10",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.16.2",
                  "status": "affected",
                  "version": "4.6.16",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.19.10",
                  "status": "affected",
                  "version": "4.6.19",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.64.2",
                  "status": "affected",
                  "version": "4.6.64",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.67.15",
                  "status": "affected",
                  "version": "4.6.67",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.89.12",
                  "status": "affected",
                  "version": "4.6.89",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.105.59",
                  "status": "affected",
                  "version": "4.6.105",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.150.11",
                  "status": "affected",
                  "version": "4.6.150",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.20.5",
                  "status": "affected",
                  "version": "4.7.20",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.30.42",
                  "status": "affected",
                  "version": "4.7.30",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.35.5",
                  "status": "affected",
                  "version": "4.7.35",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.61.56",
                  "status": "affected",
                  "version": "4.7.61",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.99.299",
                  "status": "affected",
                  "version": "4.7.99",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.131.15",
                  "status": "affected",
                  "version": "4.7.131",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.175.18",
                  "status": "affected",
                  "version": "4.7.175",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.188.5",
                  "status": "affected",
                  "version": "4.7.188",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.204.5",
                  "status": "affected",
                  "version": "4.7.204",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "*",
                  "status": "unaffected",
                  "version": "4.7.216",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Anonymous working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server.\u003cbr\u003e\u003cbr\u003eBy leveraging this vulnerability, an attacker could upload a specially crafted payload, potentially achieving remote code execution (RCE) on the server. Exploitation requires valid admin credentials, limiting its impact to authorized but potentially malicious users.\u003cbr\u003e"
                }
              ],
              "value": "An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server.\n\nBy leveraging this vulnerability, an attacker could upload a specially crafted payload, potentially achieving remote code execution (RCE) on the server. Exploitation requires valid admin credentials, limiting its impact to authorized but potentially malicious users."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-02T16:42:19.264Z",
            "orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
            "shortName": "WSO2"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3566/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Follow the instructions given on \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3566/#solution\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3...\u003c/a\u003e \u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Follow the instructions given on  https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3566/#solution"
            }
          ],
          "source": {
            "advisory": "WSO2-2024-3566",
            "discovery": "EXTERNAL"
          },
          "title": "Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Service Leading to Remote Code Execution",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
        "assignerShortName": "WSO2",
        "cveId": "CVE-2024-7074",
        "datePublished": "2025-06-02T16:42:19.264Z",
        "dateReserved": "2024-07-24T12:15:52.796Z",
        "dateUpdated": "2025-06-02T17:05:49.920Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2905 (GCVE-0-2025-2905)

    Vulnerability from nvd – Published: 2025-05-05 09:02 – Updated: 2025-10-16 11:39
    VLAI
    Title
    An XML External Entity (XXE) vulnerability in Multiple WSO2 Products
    Summary
    Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: * Read sensitive files from the server’s filesystem. * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    WSO2 WSO2 API Manager Affected: 0 , < 2.0.0 (custom)
    Affected: 2.1.0 (custom)
    Affected: 2.2.0 (custom)
    Affected: 2.5.0 (custom)
    Affected: 2.6.0 (custom)
    Affected: 3.0.0 (custom)
    Affected: 3.1.0 (custom)
    Affected: 4.0.0 , < 4.0.0.311 (custom)
    Affected: 4.1.0 , < 4.1.0.152 (custom)
    Affected: 4.2.0 , < 4.2.0.122 (custom)
    Create a notification for this product.
    WSO2 WSO2 Enterprise Integrator Unknown: 0 , < 6.0.0 (custom)
    Affected: 6.0.0 (custom)
    Affected: 6.1.0 (custom)
    Affected: 6.1.1 (custom)
    Affected: 6.2.0 (custom)
    Affected: 6.3.0 (custom)
    Affected: 6.4.0 (custom)
    Affected: 6.5.0 (custom)
    Affected: 6.6.0 (custom)
    Create a notification for this product.
    WSO2 WSO2 Enterprise Service Bus Unknown: 0 , < 4.9.0 (custom)
    Affected: 4.9.0 (custom)
    Affected: 5.0.0 (custom)
    Create a notification for this product.
    WSO2 WSO2 Micro integrator Unknown: 0 , < 1.0.0 (custom)
    Affected: 1.0.0 (custom)
    Affected: 1.1.0 (custom)
    Affected: 1.2.0 , < 1.2.0.162 (custom)
    Affected: 4.0.0 , < 4.0.0.132 (custom)
    Affected: 4.1.0 , < 4.1.0.115 (custom)
    Affected: 4.2.0 , < 4.2.0.112 (custom)
    Create a notification for this product.
    WSO2 WSO2 Open Banking AM Unknown: 0 , < 1.5.0 (custom)
    Affected: 1.5.0 (custom)
    Create a notification for this product.
    Credits
    crnkovic
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2905",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-05T12:44:33.257401Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-05T12:45:10.518Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 API Manager",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "2.1.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "2.2.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "2.5.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "3.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.311",
                  "status": "affected",
                  "version": "4.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1.0.152",
                  "status": "affected",
                  "version": "4.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.2.0.122",
                  "status": "affected",
                  "version": "4.2.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Enterprise Integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "6.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "6.1.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "6.1.1",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "6.2.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "6.3.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "6.4.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "6.5.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "6.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Enterprise Service Bus",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "4.9.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Micro integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "1.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "1.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.2.0.162",
                  "status": "affected",
                  "version": "1.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.132",
                  "status": "affected",
                  "version": "4.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1.0.115",
                  "status": "affected",
                  "version": "4.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.2.0.112",
                  "status": "affected",
                  "version": "4.2.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Open Banking AM",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "1.5.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "1.5.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "crnkovic"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products.\u003cbr\u003e\u003cbr\u003eA successful XXE attack could allow a remote, unauthenticated attacker to:\u003cbr\u003e\u003cul\u003e\u003cli\u003eRead sensitive files from the server\u2019s filesystem.\u003c/li\u003e\u003cli\u003ePerform denial-of-service (DoS) attacks, which can render the affected service unavailable.\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products.\n\nA successful XXE attack could allow a remote, unauthenticated attacker to:\n  *  Read sensitive files from the server\u2019s filesystem.\n  *  Perform denial-of-service (DoS) attacks, which can render the affected service unavailable."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611 Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-16T11:39:21.741Z",
            "orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
            "shortName": "WSO2"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Follow the instructions given on\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/#solution\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3...\u003c/a\u003e\u003cbr\u003e"
                }
              ],
              "value": "Follow the instructions given on\u00a0 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/#solution"
            }
          ],
          "source": {
            "advisory": "WSO2-2025-3993",
            "discovery": "EXTERNAL"
          },
          "title": "An XML External Entity (XXE) vulnerability in Multiple WSO2 Products",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
        "assignerShortName": "WSO2",
        "cveId": "CVE-2025-2905",
        "datePublished": "2025-05-05T09:02:01.489Z",
        "dateReserved": "2025-03-28T08:46:09.062Z",
        "dateUpdated": "2025-10-16T11:39:21.741Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-9955 (GCVE-0-2025-9955)

    Vulnerability from cvelistv5 – Published: 2025-10-16 12:14 – Updated: 2025-10-16 13:29
    VLAI
    Title
    Improper Access Control in WSO2 Enterprise Integrator Product via SOAP Admin Services for Logs and User-Store Configuration
    Summary
    An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details that are not intended to be exposed at that privilege level. While no credentials or sensitive user information are exposed, this vulnerability may allow unauthorized visibility into internal operational details, which could aid in further exploitation or reconnaissance.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    WSO2 WSO2 Enterprise Integrator Unknown: 0 , < 6.0.0 (custom)
    Affected: 6.0.0 , < 6.0.0.22 (custom)
    Affected: 6.1.0 , < 6.1.0.39 (custom)
    Affected: 6.1.1 , < 6.1.1.43 (custom)
    Affected: 6.2.0 , < 6.2.0.62 (custom)
    Affected: 6.3.0 , < 6.3.0.70 (custom)
    Affected: 6.4.0 , < 6.4.0.100 (custom)
    Affected: 6.5.0 , < 6.5.0.107 (custom)
    Affected: 6.6.0 , < 6.6.0.222 (custom)
    Create a notification for this product.
    WSO2 WSO2 Enterprise Service Bus Unknown: 0 , < 5.0.0 (custom)
    Affected: 5.0.0 , < 5.0.0.29 (custom)
    Create a notification for this product.
    WSO2 org.wso2.carbon:org.wso2.carbon.base Affected: 4.4.8 , < 4.4.8.7 (custom)
    Affected: 4.4.14 , < 4.4.14.5 (custom)
    Affected: 4.4.16 , < 4.4.16.9 (custom)
    Affected: 4.4.26 , < 4.4.26.13 (custom)
    Affected: 4.4.32 , < 4.4.32.16 (custom)
    Affected: 4.4.36 , < 4.4.36.7 (custom)
    Affected: 4.4.40 , < 4.4.40.37 (custom)
    Affected: 4.5.3 , < 4.5.3.45 (custom)
    Affected: 4.9 , < 4.9.29 (custom)
    Affected: 4.10 , < 4.10.94 (custom)
    Create a notification for this product.
    WSO2 org.wso2.carbon:org.wso2.carbon.server.admin Affected: 4.4.8 , < 4.4.8.7 (custom)
    Affected: 4.4.14 , < 4.4.14.5 (custom)
    Affected: 4.4.16 , < 4.4.16.9 (custom)
    Affected: 4.4.26 , < 4.4.26.13 (custom)
    Affected: 4.4.32 , < 4.4.32.16 (custom)
    Affected: 4.4.36 , < 4.4.36.7 (custom)
    Affected: 4.4.40 , < 4.4.40.37 (custom)
    Affected: 4.5.3 , < 4.5.3.45 (custom)
    Affected: 4.9 , < 4.9.29 (custom)
    Affected: 4.10 , < 4.10.94 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9955",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-16T13:23:25.309685Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-863",
                    "description": "CWE-863 Incorrect Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-16T13:29:14.882Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Enterprise Integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "6.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.0.0.22",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.1.0.39",
                  "status": "affected",
                  "version": "6.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.1.1.43",
                  "status": "affected",
                  "version": "6.1.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.2.0.62",
                  "status": "affected",
                  "version": "6.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.3.0.70",
                  "status": "affected",
                  "version": "6.3.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.4.0.100",
                  "status": "affected",
                  "version": "6.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.5.0.107",
                  "status": "affected",
                  "version": "6.5.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.6.0.222",
                  "status": "affected",
                  "version": "6.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Enterprise Service Bus",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "5.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.0.0.29",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "packageName": "org.wso2.carbon:org.wso2.carbon.base",
              "product": "org.wso2.carbon:org.wso2.carbon.base",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.4.8.7",
                  "status": "affected",
                  "version": "4.4.8",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.14.5",
                  "status": "affected",
                  "version": "4.4.14",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.16.9",
                  "status": "affected",
                  "version": "4.4.16",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.26.13",
                  "status": "affected",
                  "version": "4.4.26",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.32.16",
                  "status": "affected",
                  "version": "4.4.32",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.36.7",
                  "status": "affected",
                  "version": "4.4.36",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.40.37",
                  "status": "affected",
                  "version": "4.4.40",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.5.3.45",
                  "status": "affected",
                  "version": "4.5.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.9.29",
                  "status": "affected",
                  "version": "4.9",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.10.94",
                  "status": "affected",
                  "version": "4.10",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "packageName": "org.wso2.carbon:org.wso2.carbon.server.admin",
              "product": "org.wso2.carbon:org.wso2.carbon.server.admin",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.4.8.7",
                  "status": "affected",
                  "version": "4.4.8",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.14.5",
                  "status": "affected",
                  "version": "4.4.14",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.16.9",
                  "status": "affected",
                  "version": "4.4.16",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.26.13",
                  "status": "affected",
                  "version": "4.4.26",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.32.16",
                  "status": "affected",
                  "version": "4.4.32",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.36.7",
                  "status": "affected",
                  "version": "4.4.36",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.40.37",
                  "status": "affected",
                  "version": "4.4.40",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.5.3.45",
                  "status": "affected",
                  "version": "4.5.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.9.29",
                  "status": "affected",
                  "version": "4.9",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.10.94",
                  "status": "affected",
                  "version": "4.10",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details that are not intended to be exposed at that privilege level.\u003cbr\u003e\u003cbr\u003eWhile no credentials or sensitive user information are exposed, this vulnerability may allow unauthorized visibility into internal operational details, which could aid in further exploitation or reconnaissance.\u003cbr\u003e"
                }
              ],
              "value": "An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details that are not intended to be exposed at that privilege level.\n\nWhile no credentials or sensitive user information are exposed, this vulnerability may allow unauthorized visibility into internal operational details, which could aid in further exploitation or reconnaissance."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-16T12:14:56.477Z",
            "orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
            "shortName": "WSO2"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4526/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4526/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4526/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
                }
              ],
              "value": "Follow the instructions given on  https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4526/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4526/#solution"
            }
          ],
          "source": {
            "advisory": "WSO2-2025-4526",
            "discovery": "INTERNAL"
          },
          "title": "Improper Access Control in WSO2 Enterprise Integrator Product via SOAP Admin Services for Logs and User-Store Configuration",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
        "assignerShortName": "WSO2",
        "cveId": "CVE-2025-9955",
        "datePublished": "2025-10-16T12:14:56.477Z",
        "dateReserved": "2025-09-03T15:10:08.622Z",
        "dateUpdated": "2025-10-16T13:29:14.882Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7074 (GCVE-0-2024-7074)

    Vulnerability from cvelistv5 – Published: 2025-06-02 16:42 – Updated: 2025-06-02 17:05
    VLAI
    Title
    Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Service Leading to Remote Code Execution
    Summary
    An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server. By leveraging this vulnerability, an attacker could upload a specially crafted payload, potentially achieving remote code execution (RCE) on the server. Exploitation requires valid admin credentials, limiting its impact to authorized but potentially malicious users.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    WSO2 WSO2 Enterprise Integrator Unknown: 0 , < 6.0.0 (custom)
    Affected: 6.0.0 , < 6.0.0.21 (custom)
    Affected: 6.1.0 , < 6.1.0.38 (custom)
    Affected: 6.1.1 , < 6.1.1.42 (custom)
    Affected: 6.2.0 , < 6.2.0.61 (custom)
    Affected: 6.3.0 , < 6.3.0.69 (custom)
    Affected: 6.4.0 , < 6.4.0.96 (custom)
    Affected: 6.5.0 , < 6.5.0.102 (custom)
    Affected: 6.6.0 , < 6.6.0.198 (custom)
    Create a notification for this product.
    WSO2 WSO2 API Manager Unknown: 0 , < 2.0.0 (custom)
    Affected: 2.0.0 , < 2.0.0.28 (custom)
    Affected: 2.1.0 , < 2.1.0.38 (custom)
    Affected: 2.2.0 , < 2.2.0.57 (custom)
    Affected: 2.5.0 , < 2.5.0.83 (custom)
    Affected: 2.6.0 , < 2.6.0.143 (custom)
    Affected: 3.0.0 , < 3.0.0.162 (custom)
    Affected: 3.1.0 , < 3.1.0.293 (custom)
    Affected: 3.2.0 , < 3.2.0.384 (custom)
    Affected: 3.2.1 , < 3.2.1.16 (custom)
    Affected: 4.0.0 , < 4.0.0.305 (custom)
    Affected: 4.1.0 , < 4.1.0.166 (custom)
    Affected: 4.2.0 , < 4.2.0.100 (custom)
    Affected: 4.3.0 , < 4.3.0.16 (custom)
    Create a notification for this product.
    WSO2 WSO2 Enterprise Service Bus Affected: 4.9.0 , < 4.9.0.10 (custom)
    Affected: 5.0.0 , < 5.0.0.28 (custom)
    Create a notification for this product.
    WSO2 WSO2 Enterprise Mobility Manager Affected: 2.2.0 , < 2.2.0.27 (custom)
    Create a notification for this product.
    WSO2 WSO2 Micro Integrator Unknown: 0 , < 1.0.0 (custom)
    Affected: 1.0.0 , < 1.0.0.49 (custom)
    Create a notification for this product.
    WSO2 WSO2 Open Banking AM Unknown: 0 , < 1.3.0 (custom)
    Affected: 1.3.0 , < 1.3.0.132 (custom)
    Affected: 1.4.0 , < 1.4.0.135 (custom)
    Affected: 1.5.0 , < 1.5.0.137 (custom)
    Affected: 2.0.0 , < 2.0.0.342 (custom)
    Create a notification for this product.
    WSO2 WSO2 Carbon Synapse Artifact Uploader BE Affected: 4.4.10 , < 4.4.10.3 (custom)
    Affected: 4.6.1 , < 4.6.1.4 (custom)
    Affected: 4.6.6 , < 4.6.6.9 (custom)
    Affected: 4.6.10 , < 4.6.10.4 (custom)
    Affected: 4.6.16 , < 4.6.16.2 (custom)
    Affected: 4.6.19 , < 4.6.19.10 (custom)
    Affected: 4.6.64 , < 4.6.64.2 (custom)
    Affected: 4.6.67 , < 4.6.67.15 (custom)
    Affected: 4.6.89 , < 4.6.89.12 (custom)
    Affected: 4.6.105 , < 4.6.105.59 (custom)
    Affected: 4.6.150 , < 4.6.150.11 (custom)
    Affected: 4.7.20 , < 4.7.20.5 (custom)
    Affected: 4.7.30 , < 4.7.30.42 (custom)
    Affected: 4.7.35 , < 4.7.35.5 (custom)
    Affected: 4.7.61 , < 4.7.61.56 (custom)
    Affected: 4.7.99 , < 4.7.99.299 (custom)
    Affected: 4.7.131 , < 4.7.131.15 (custom)
    Affected: 4.7.175 , < 4.7.175.18 (custom)
    Affected: 4.7.188 , < 4.7.188.5 (custom)
    Affected: 4.7.204 , < 4.7.204.5 (custom)
    Unaffected: 4.7.216 , ≤ * (custom)
    Create a notification for this product.
    Credits
    Anonymous working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7074",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-02T17:04:40.480620Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-02T17:05:49.920Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Enterprise Integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "6.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.0.0.21",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.1.0.38",
                  "status": "affected",
                  "version": "6.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.1.1.42",
                  "status": "affected",
                  "version": "6.1.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.2.0.61",
                  "status": "affected",
                  "version": "6.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.3.0.69",
                  "status": "affected",
                  "version": "6.3.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.4.0.96",
                  "status": "affected",
                  "version": "6.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.5.0.102",
                  "status": "affected",
                  "version": "6.5.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.6.0.198",
                  "status": "affected",
                  "version": "6.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 API Manager",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0.0.28",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.0.38",
                  "status": "affected",
                  "version": "2.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.2.0.57",
                  "status": "affected",
                  "version": "2.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.5.0.83",
                  "status": "affected",
                  "version": "2.5.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.6.0.143",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.0.0.162",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.1.0.293",
                  "status": "affected",
                  "version": "3.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.2.0.384",
                  "status": "affected",
                  "version": "3.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.2.1.16",
                  "status": "affected",
                  "version": "3.2.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.305",
                  "status": "affected",
                  "version": "4.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1.0.166",
                  "status": "affected",
                  "version": "4.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.2.0.100",
                  "status": "affected",
                  "version": "4.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.3.0.16",
                  "status": "affected",
                  "version": "4.3.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "WSO2 Enterprise Service Bus",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.9.0.10",
                  "status": "affected",
                  "version": "4.9.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.0.0.28",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "WSO2 Enterprise Mobility Manager",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.2.0.27",
                  "status": "affected",
                  "version": "2.2.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Micro Integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "1.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.0.0.49",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Open Banking AM",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "1.3.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.3.0.132",
                  "status": "affected",
                  "version": "1.3.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.4.0.135",
                  "status": "affected",
                  "version": "1.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.5.0.137",
                  "status": "affected",
                  "version": "1.5.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0.0.342",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "packageName": "org.wso2.carbon.mediation:org.wso2.carbon.mediation.artifactuploader",
              "product": "WSO2 Carbon Synapse Artifact Uploader BE",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.4.10.3",
                  "status": "affected",
                  "version": "4.4.10",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.1.4",
                  "status": "affected",
                  "version": "4.6.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.6.9",
                  "status": "affected",
                  "version": "4.6.6",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.10.4",
                  "status": "affected",
                  "version": "4.6.10",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.16.2",
                  "status": "affected",
                  "version": "4.6.16",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.19.10",
                  "status": "affected",
                  "version": "4.6.19",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.64.2",
                  "status": "affected",
                  "version": "4.6.64",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.67.15",
                  "status": "affected",
                  "version": "4.6.67",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.89.12",
                  "status": "affected",
                  "version": "4.6.89",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.105.59",
                  "status": "affected",
                  "version": "4.6.105",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.6.150.11",
                  "status": "affected",
                  "version": "4.6.150",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.20.5",
                  "status": "affected",
                  "version": "4.7.20",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.30.42",
                  "status": "affected",
                  "version": "4.7.30",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.35.5",
                  "status": "affected",
                  "version": "4.7.35",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.61.56",
                  "status": "affected",
                  "version": "4.7.61",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.99.299",
                  "status": "affected",
                  "version": "4.7.99",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.131.15",
                  "status": "affected",
                  "version": "4.7.131",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.175.18",
                  "status": "affected",
                  "version": "4.7.175",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.188.5",
                  "status": "affected",
                  "version": "4.7.188",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.7.204.5",
                  "status": "affected",
                  "version": "4.7.204",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "*",
                  "status": "unaffected",
                  "version": "4.7.216",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Anonymous working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server.\u003cbr\u003e\u003cbr\u003eBy leveraging this vulnerability, an attacker could upload a specially crafted payload, potentially achieving remote code execution (RCE) on the server. Exploitation requires valid admin credentials, limiting its impact to authorized but potentially malicious users.\u003cbr\u003e"
                }
              ],
              "value": "An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server.\n\nBy leveraging this vulnerability, an attacker could upload a specially crafted payload, potentially achieving remote code execution (RCE) on the server. Exploitation requires valid admin credentials, limiting its impact to authorized but potentially malicious users."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-02T16:42:19.264Z",
            "orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
            "shortName": "WSO2"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3566/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Follow the instructions given on \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3566/#solution\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3...\u003c/a\u003e \u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Follow the instructions given on  https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3566/#solution"
            }
          ],
          "source": {
            "advisory": "WSO2-2024-3566",
            "discovery": "EXTERNAL"
          },
          "title": "Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Service Leading to Remote Code Execution",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
        "assignerShortName": "WSO2",
        "cveId": "CVE-2024-7074",
        "datePublished": "2025-06-02T16:42:19.264Z",
        "dateReserved": "2024-07-24T12:15:52.796Z",
        "dateUpdated": "2025-06-02T17:05:49.920Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2905 (GCVE-0-2025-2905)

    Vulnerability from cvelistv5 – Published: 2025-05-05 09:02 – Updated: 2025-10-16 11:39
    VLAI
    Title
    An XML External Entity (XXE) vulnerability in Multiple WSO2 Products
    Summary
    Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: * Read sensitive files from the server’s filesystem. * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    WSO2 WSO2 API Manager Affected: 0 , < 2.0.0 (custom)
    Affected: 2.1.0 (custom)
    Affected: 2.2.0 (custom)
    Affected: 2.5.0 (custom)
    Affected: 2.6.0 (custom)
    Affected: 3.0.0 (custom)
    Affected: 3.1.0 (custom)
    Affected: 4.0.0 , < 4.0.0.311 (custom)
    Affected: 4.1.0 , < 4.1.0.152 (custom)
    Affected: 4.2.0 , < 4.2.0.122 (custom)
    Create a notification for this product.
    WSO2 WSO2 Enterprise Integrator Unknown: 0 , < 6.0.0 (custom)
    Affected: 6.0.0 (custom)
    Affected: 6.1.0 (custom)
    Affected: 6.1.1 (custom)
    Affected: 6.2.0 (custom)
    Affected: 6.3.0 (custom)
    Affected: 6.4.0 (custom)
    Affected: 6.5.0 (custom)
    Affected: 6.6.0 (custom)
    Create a notification for this product.
    WSO2 WSO2 Enterprise Service Bus Unknown: 0 , < 4.9.0 (custom)
    Affected: 4.9.0 (custom)
    Affected: 5.0.0 (custom)
    Create a notification for this product.
    WSO2 WSO2 Micro integrator Unknown: 0 , < 1.0.0 (custom)
    Affected: 1.0.0 (custom)
    Affected: 1.1.0 (custom)
    Affected: 1.2.0 , < 1.2.0.162 (custom)
    Affected: 4.0.0 , < 4.0.0.132 (custom)
    Affected: 4.1.0 , < 4.1.0.115 (custom)
    Affected: 4.2.0 , < 4.2.0.112 (custom)
    Create a notification for this product.
    WSO2 WSO2 Open Banking AM Unknown: 0 , < 1.5.0 (custom)
    Affected: 1.5.0 (custom)
    Create a notification for this product.
    Credits
    crnkovic
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2905",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-05T12:44:33.257401Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-05T12:45:10.518Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 API Manager",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "2.1.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "2.2.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "2.5.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "3.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.311",
                  "status": "affected",
                  "version": "4.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1.0.152",
                  "status": "affected",
                  "version": "4.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.2.0.122",
                  "status": "affected",
                  "version": "4.2.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Enterprise Integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "6.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "6.1.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "6.1.1",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "6.2.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "6.3.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "6.4.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "6.5.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "6.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Enterprise Service Bus",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "4.9.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Micro integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "1.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "1.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.2.0.162",
                  "status": "affected",
                  "version": "1.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.132",
                  "status": "affected",
                  "version": "4.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1.0.115",
                  "status": "affected",
                  "version": "4.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.2.0.112",
                  "status": "affected",
                  "version": "4.2.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Open Banking AM",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "1.5.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "1.5.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "crnkovic"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products.\u003cbr\u003e\u003cbr\u003eA successful XXE attack could allow a remote, unauthenticated attacker to:\u003cbr\u003e\u003cul\u003e\u003cli\u003eRead sensitive files from the server\u2019s filesystem.\u003c/li\u003e\u003cli\u003ePerform denial-of-service (DoS) attacks, which can render the affected service unavailable.\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products.\n\nA successful XXE attack could allow a remote, unauthenticated attacker to:\n  *  Read sensitive files from the server\u2019s filesystem.\n  *  Perform denial-of-service (DoS) attacks, which can render the affected service unavailable."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611 Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-16T11:39:21.741Z",
            "orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
            "shortName": "WSO2"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Follow the instructions given on\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/#solution\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3...\u003c/a\u003e\u003cbr\u003e"
                }
              ],
              "value": "Follow the instructions given on\u00a0 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993/#solution"
            }
          ],
          "source": {
            "advisory": "WSO2-2025-3993",
            "discovery": "EXTERNAL"
          },
          "title": "An XML External Entity (XXE) vulnerability in Multiple WSO2 Products",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
        "assignerShortName": "WSO2",
        "cveId": "CVE-2025-2905",
        "datePublished": "2025-05-05T09:02:01.489Z",
        "dateReserved": "2025-03-28T08:46:09.062Z",
        "dateUpdated": "2025-10-16T11:39:21.741Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }