Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for micro_integrator by wso2

    CVE-2025-11093 (GCVE-0-2025-11093)

    Vulnerability from nvd – Published: 2025-11-05 18:31 – Updated: 2025-11-05 19:39
    VLAI
    Title
    Arbitrary Code Execution with higher privileged users in Multiple WSO2 Products via Script Mediator Engines (GraalJS and NashornJS)
    Summary
    An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment. By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    WSO2 WSO2 Micro Integrator Unknown: 0 , < 4.0.0 (custom)
    Affected: 4.0.0 , < 4.0.0.145 (custom)
    Affected: 4.1.0 , < 4.1.0.147 (custom)
    Affected: 4.2.0 , < 4.2.0.141 (custom)
    Affected: 4.3.0 , < 4.3.0.42 (custom)
    Affected: 4.4.0 , < 4.4.0.27 (custom)
    Create a notification for this product.
    WSO2 WSO2 API Manager Unknown: 0 , < 3.1.0 (custom)
    Affected: 3.1.0 , < 3.1.0.345 (custom)
    Affected: 3.2.0 , < 3.2.0.446 (custom)
    Affected: 3.2.1 , < 3.2.1.66 (custom)
    Affected: 4.0.0 , < 4.0.0.366 (custom)
    Affected: 4.1.0 , < 4.1.0.228 (custom)
    Affected: 4.2.0 , < 4.2.0.169 (custom)
    Affected: 4.3.0 , < 4.3.0.81 (custom)
    Affected: 4.4.0 , < 4.4.0.45 (custom)
    Affected: 4.5.0 , < 4.5.0.28 (custom)
    Create a notification for this product.
    WSO2 WSO2 Enterprise Integrator Unknown: 0 , < 6.6.0 (custom)
    Affected: 6.6.0 , < 6.6.0.224 (custom)
    Create a notification for this product.
    WSO2 WSO2 Universal Gateway Affected: 4.5.0 , < 4.5.0.27 (custom)
    Create a notification for this product.
    WSO2 WSO2 API Control Plane Affected: 4.5.0 , < 4.5.0.29 (custom)
    Create a notification for this product.
    WSO2 WSO2 Traffic Manager Affected: 4.5.0 , < 4.5.0.27 (custom)
    Create a notification for this product.
    WSO2 WSO2 Open Banking IAM Unknown: 0 , < 2.0.0 (custom)
    Affected: 2.0.0 , < 2.0.0.414 (custom)
    Create a notification for this product.
    WSO2 WSO2 Open Banking AM Unknown: 0 , < 2.0.0 (custom)
    Affected: 2.0.0 , < 2.0.0.394 (custom)
    Create a notification for this product.
    WSO2 WSO2 Identity Server as Key Manager Unknown: 0 , < 5.10.0 (custom)
    Affected: 5.10.0 , < 5.10.0.365 (custom)
    Create a notification for this product.
    WSO2 org.apache.synapse:synapse-core Affected: 2.1.7.wso2v227 , < 2.1.7.wso2v227_99 (custom)
    Affected: 2.1.7.wso2v271 , < 2.1.7.wso2v271_88 (custom)
    Affected: 2.1.7.wso2v143 , < 2.1.7.wso2v143_121 (custom)
    Affected: 2.1.7.wso2v319 , < 2.1.7.wso2v319_13 (custom)
    Affected: 2.1.7.wso2v183 , < 2.1.7.wso2v183_72 (custom)
    Affected: 4.0.0.wso2v119 , < 4.0.0.wso2v119_27 (custom)
    Affected: 4.0.0.wso2v20 , < 4.0.0.wso2v20_93 (custom)
    Affected: 4.0.0.wso2v215 , < 4.0.0.wso2v215_26 (custom)
    Affected: 4.0.0.wso2v218 , < 4.0.0.wso2v218_1 (custom)
    Affected: 4.0.0.wso2v105 , < 4.0.0.wso2v105_13 (custom)
    Affected: 4.0.0.wso2v131 , < 4.0.0.wso2v131_5 (custom)
    Unaffected: 4.0.0-wso2v254 , ≤ * (custom)
    Create a notification for this product.
    WSO2 org.apache.synapse:synapse-extensions Affected: 2.1.7.wso2v227 , < 2.1.7.wso2v227_99 (custom)
    Affected: 2.1.7.wso2v271 , < 2.1.7.wso2v271_88 (custom)
    Affected: 2.1.7.wso2v143 , < 2.1.7.wso2v143_121 (custom)
    Affected: 2.1.7.wso2v319 , < 2.1.7.wso2v319_13 (custom)
    Affected: 2.1.7.wso2v183 , < 2.1.7.wso2v183_72 (custom)
    Affected: 4.0.0.wso2v119 , < 4.0.0.wso2v119_27 (custom)
    Affected: 4.0.0.wso2v20 , < 4.0.0.wso2v20_93 (custom)
    Affected: 4.0.0.wso2v215 , < 4.0.0.wso2v215_26 (custom)
    Affected: 4.0.0.wso2v218 , < 4.0.0.wso2v218_1 (custom)
    Affected: 4.0.0.wso2v105 , < 4.0.0.wso2v105_13 (custom)
    Affected: 4.0.0.wso2v131 , < 4.0.0.wso2v131_5 (custom)
    Unaffected: 4.0.0-wso2v254 , ≤ * (custom)
    Create a notification for this product.
    Credits
    crnković
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11093",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-05T19:14:13.042418Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-05T19:39:15.696Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Micro Integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.145",
                  "status": "affected",
                  "version": "4.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1.0.147",
                  "status": "affected",
                  "version": "4.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.2.0.141",
                  "status": "affected",
                  "version": "4.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.3.0.42",
                  "status": "affected",
                  "version": "4.3.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.0.27",
                  "status": "affected",
                  "version": "4.4.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 API Manager",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "3.1.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.1.0.345",
                  "status": "affected",
                  "version": "3.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.2.0.446",
                  "status": "affected",
                  "version": "3.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.2.1.66",
                  "status": "affected",
                  "version": "3.2.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.366",
                  "status": "affected",
                  "version": "4.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1.0.228",
                  "status": "affected",
                  "version": "4.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.2.0.169",
                  "status": "affected",
                  "version": "4.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.3.0.81",
                  "status": "affected",
                  "version": "4.3.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.0.45",
                  "status": "affected",
                  "version": "4.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.5.0.28",
                  "status": "affected",
                  "version": "4.5.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Enterprise Integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "6.6.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.6.0.224",
                  "status": "affected",
                  "version": "6.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Universal Gateway",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.5.0.27",
                  "status": "affected",
                  "version": "4.5.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 API Control Plane",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.5.0.29",
                  "status": "affected",
                  "version": "4.5.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Traffic Manager",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.5.0.27",
                  "status": "affected",
                  "version": "4.5.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Open Banking IAM",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0.0.414",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Open Banking AM",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0.0.394",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Identity Server as Key Manager",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "5.10.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.10.0.365",
                  "status": "affected",
                  "version": "5.10.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "packageName": "org.apache.synapse:synapse-core",
              "product": "org.apache.synapse:synapse-core",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.1.7.wso2v227_99",
                  "status": "affected",
                  "version": "2.1.7.wso2v227",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.7.wso2v271_88",
                  "status": "affected",
                  "version": "2.1.7.wso2v271",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.7.wso2v143_121",
                  "status": "affected",
                  "version": "2.1.7.wso2v143",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.7.wso2v319_13",
                  "status": "affected",
                  "version": "2.1.7.wso2v319",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.7.wso2v183_72",
                  "status": "affected",
                  "version": "2.1.7.wso2v183",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v119_27",
                  "status": "affected",
                  "version": "4.0.0.wso2v119",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v20_93",
                  "status": "affected",
                  "version": "4.0.0.wso2v20",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v215_26",
                  "status": "affected",
                  "version": "4.0.0.wso2v215",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v218_1",
                  "status": "affected",
                  "version": "4.0.0.wso2v218",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v105_13",
                  "status": "affected",
                  "version": "4.0.0.wso2v105",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v131_5",
                  "status": "affected",
                  "version": "4.0.0.wso2v131",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "*",
                  "status": "unaffected",
                  "version": "4.0.0-wso2v254",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "packageName": "org.apache.synapse:synapse-extensions",
              "product": "org.apache.synapse:synapse-extensions",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.1.7.wso2v227_99",
                  "status": "affected",
                  "version": "2.1.7.wso2v227",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.7.wso2v271_88",
                  "status": "affected",
                  "version": "2.1.7.wso2v271",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.7.wso2v143_121",
                  "status": "affected",
                  "version": "2.1.7.wso2v143",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.7.wso2v319_13",
                  "status": "affected",
                  "version": "2.1.7.wso2v319",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.7.wso2v183_72",
                  "status": "affected",
                  "version": "2.1.7.wso2v183",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v119_27",
                  "status": "affected",
                  "version": "4.0.0.wso2v119",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v20_93",
                  "status": "affected",
                  "version": "4.0.0.wso2v20",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v215_26",
                  "status": "affected",
                  "version": "4.0.0.wso2v215",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v218_1",
                  "status": "affected",
                  "version": "4.0.0.wso2v218",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v105_13",
                  "status": "affected",
                  "version": "4.0.0.wso2v105",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v131_5",
                  "status": "affected",
                  "version": "4.0.0.wso2v131",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "*",
                  "status": "unaffected",
                  "version": "4.0.0-wso2v254",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.145",
                      "versionStartIncluding": "4.0.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.1.0.147",
                      "versionStartIncluding": "4.1.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.2.0.141",
                      "versionStartIncluding": "4.2.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.3.0.42",
                      "versionStartIncluding": "4.3.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.4.0.27",
                      "versionStartIncluding": "4.4.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.1.0.345",
                      "versionStartIncluding": "3.1.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.2.0.446",
                      "versionStartIncluding": "3.2.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.2.1.66",
                      "versionStartIncluding": "3.2.1",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.366",
                      "versionStartIncluding": "4.0.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.1.0.228",
                      "versionStartIncluding": "4.1.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.2.0.169",
                      "versionStartIncluding": "4.2.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.3.0.81",
                      "versionStartIncluding": "4.3.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.4.0.45",
                      "versionStartIncluding": "4.4.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.5.0.28",
                      "versionStartIncluding": "4.5.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_enterprise_integrator:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "6.6.0.224",
                      "versionStartIncluding": "6.6.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.5.0.27",
                      "versionStartIncluding": "4.5.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.5.0.29",
                      "versionStartIncluding": "4.5.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.5.0.27",
                      "versionStartIncluding": "4.5.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.0.0.414",
                      "versionStartIncluding": "2.0.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_open_banking_am:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.0.0.394",
                      "versionStartIncluding": "2.0.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "5.10.0.365",
                      "versionStartIncluding": "5.10.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v227_99",
                      "versionStartIncluding": "2.1.7.wso2v227",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v271_88",
                      "versionStartIncluding": "2.1.7.wso2v271",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v143_121",
                      "versionStartIncluding": "2.1.7.wso2v143",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v319_13",
                      "versionStartIncluding": "2.1.7.wso2v319",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v183_72",
                      "versionStartIncluding": "2.1.7.wso2v183",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v119_27",
                      "versionStartIncluding": "4.0.0.wso2v119",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v20_93",
                      "versionStartIncluding": "4.0.0.wso2v20",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v215_26",
                      "versionStartIncluding": "4.0.0.wso2v215",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v218_1",
                      "versionStartIncluding": "4.0.0.wso2v218",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v105_13",
                      "versionStartIncluding": "4.0.0.wso2v105",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v131_5",
                      "versionStartIncluding": "4.0.0.wso2v131",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "*",
                      "versionStartIncluding": "4.0.0-wso2v254",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v227_99",
                      "versionStartIncluding": "2.1.7.wso2v227",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v271_88",
                      "versionStartIncluding": "2.1.7.wso2v271",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v143_121",
                      "versionStartIncluding": "2.1.7.wso2v143",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v319_13",
                      "versionStartIncluding": "2.1.7.wso2v319",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v183_72",
                      "versionStartIncluding": "2.1.7.wso2v183",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v119_27",
                      "versionStartIncluding": "4.0.0.wso2v119",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v20_93",
                      "versionStartIncluding": "4.0.0.wso2v20",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v215_26",
                      "versionStartIncluding": "4.0.0.wso2v215",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v218_1",
                      "versionStartIncluding": "4.0.0.wso2v218",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v105_13",
                      "versionStartIncluding": "4.0.0.wso2v105",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v131_5",
                      "versionStartIncluding": "4.0.0.wso2v131",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "*",
                      "versionStartIncluding": "4.0.0-wso2v254",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "crnkovi\u0107"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment.\u003cbr\u003e\u003cbr\u003eBy default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.\u003cbr\u003e"
                }
              ],
              "value": "An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment.\n\nBy default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-05T18:34:04.737Z",
            "orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
            "shortName": "WSO2"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
                }
              ],
              "value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/#solution"
            }
          ],
          "source": {
            "advisory": "WSO2-2025-4510",
            "discovery": "EXTERNAL"
          },
          "title": "Arbitrary Code Execution with higher privileged users in Multiple WSO2 Products via Script Mediator Engines (GraalJS and NashornJS)",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
        "assignerShortName": "WSO2",
        "cveId": "CVE-2025-11093",
        "datePublished": "2025-11-05T18:31:17.873Z",
        "dateReserved": "2025-09-27T07:10:05.485Z",
        "dateUpdated": "2025-11-05T19:39:15.696Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4598 (GCVE-0-2024-4598)

    Vulnerability from nvd – Published: 2025-09-23 10:39 – Updated: 2025-09-23 19:35
    VLAI
    Title
    Information Disclosure in Multiple WSO2 Products Due to Improper Handling in Enrich Mediator
    Summary
    An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from other mediation contexts because the internal state is not properly isolated or cleared between executions. This vulnerability does not impact user credentials or access tokens but may lead to leakage of sensitive business information handled during message flows.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1259 - Improper Restriction of Security Token Assignment
    Assigner
    References
    Impacted products
    Vendor Product Version
    WSO2 WSO2 API Manager Unknown: 0 , < 3.2.0 (custom)
    Affected: 3.2.0 , < 3.2.0.422 (custom)
    Affected: 3.2.1 , < 3.2.1.42 (custom)
    Affected: 4.1.0 , < 4.1.0.152 (custom)
    Affected: 4.3.0 , < 4.3.0.55 (custom)
    Create a notification for this product.
    WSO2 WSO2 Micro Integrator Unknown: 0 , < 1.2.0 (custom)
    Affected: 1.2.0 , < 1.2.0.157 (custom)
    Affected: 4.1.0 , < 4.1.0.95 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4598",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-23T19:35:13.107728Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1259",
                    "description": "CWE-1259 Improper Restriction of Security Token Assignment",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-23T19:35:33.987Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 API Manager",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "3.2.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.2.0.422",
                  "status": "affected",
                  "version": "3.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.2.1.42",
                  "status": "affected",
                  "version": "3.2.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1.0.152",
                  "status": "affected",
                  "version": "4.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.3.0.55",
                  "status": "affected",
                  "version": "4.3.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Micro Integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "1.2.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.2.0.157",
                  "status": "affected",
                  "version": "1.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1.0.95",
                  "status": "affected",
                  "version": "4.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from other mediation contexts because the internal state is not properly isolated or cleared between executions.\u003cbr\u003e\u003cbr\u003eThis vulnerability does not impact user credentials or access tokens but may lead to leakage of sensitive business information handled during message flows."
                }
              ],
              "value": "An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from other mediation contexts because the internal state is not properly isolated or cleared between executions.\n\nThis vulnerability does not impact user credentials or access tokens but may lead to leakage of sensitive business information handled during message flows."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-23T10:39:16.195Z",
            "orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
            "shortName": "WSO2"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3355/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3355/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3355/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
                }
              ],
              "value": "Follow the instructions given on  https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3355/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3355/#solution"
            }
          ],
          "source": {
            "advisory": "WSO2-2024-3355",
            "discovery": "INTERNAL"
          },
          "title": "Information Disclosure in Multiple WSO2 Products Due to Improper Handling in Enrich Mediator",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
        "assignerShortName": "WSO2",
        "cveId": "CVE-2024-4598",
        "datePublished": "2025-09-23T10:39:16.195Z",
        "dateReserved": "2024-05-07T06:40:12.013Z",
        "dateUpdated": "2025-09-23T19:35:33.987Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6836 (GCVE-0-2023-6836)

    Vulnerability from nvd – Published: 2023-12-15 09:26 – Updated: 2024-08-02 08:42
    VLAI
    Summary
    Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    WSO2 WSO2 API Manager Unknown: 0 , < 3.0.0.0 (custom)
    Affected: 3.0.0.0 , < 3.0.0.1 (custom)
    Create a notification for this product.
    WSO2 WSO2 API Manager Analytics Unknown: 0 , < 2.2.0.0 (custom)
    Affected: 2.2.0.0 , < 2.2.0.1 (custom)
    Affected: 2.5.0.0 , < 2.5.0.1 (custom)
    Create a notification for this product.
    WSO2 WSO2 API Microgateway Unknown: 0 , < 2.2.0.0 (custom)
    Affected: 2.2.0.0 , < 2.2.0.1 (custom)
    Create a notification for this product.
    WSO2 WSO2 Enterprise Integrator Unknown: 0 , < 6.0.0.2 (custom)
    Affected: 6.0.0.0 , < 6.0.0.3 (custom)
    Affected: 6.1.0.0 , < 6.1.0.5 (custom)
    Affected: 6.1.1.0 , < 6.1.1.5 (custom)
    Affected: 6.6.0.0 , < 6.6.0.1 (custom)
    Create a notification for this product.
    WSO2 WSO2 IS as Key Manager Unknown: 0 , < 5.5.0.0 (custom)
    Affected: 5.5.0.0 , < 5.5.0.1 (custom)
    Affected: 5.6.0.0 , < 5.6.0.1 (custom)
    Affected: 5.7.0.0 , < 5.7.0.1 (custom)
    Affected: 5.9.0.0 , < 5.9.0.1 (custom)
    Create a notification for this product.
    WSO2 WSO2 Identity Server Unknown: 0 , < 5.4.0.0 (custom)
    Affected: 5.4.0.0 , < 5.4.0.1 (custom)
    Affected: 5.4.1.0 , < 5.4.1.1 (custom)
    Affected: 5.5.0.0 , < 5.5.0.1 (custom)
    Affected: 5.6.0.0 , < 5.6.0.1 (custom)
    Create a notification for this product.
    WSO2 WSO2 Micro Integrator Unknown: 0 , < 1.0.0.0 (custom)
    Affected: 1.0.0.0 , < 1.0.0.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:42:08.180Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 API Manager ",
              "repo": "https://github.com/wso2/product-apim",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "3.0.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.0.0.1",
                  "status": "affected",
                  "version": "3.0.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 API Manager Analytics",
              "repo": "https://github.com/wso2/analytics-apim",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.2.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.2.0.1",
                  "status": "affected",
                  "version": "2.2.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.5.0.1",
                  "status": "affected",
                  "version": "2.5.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 API Microgateway",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.2.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.2.0.1",
                  "status": "affected",
                  "version": "2.2.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Enterprise Integrator",
              "repo": "https://github.com/wso2/product-ei",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "6.0.0.2",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.0.0.3",
                  "status": "affected",
                  "version": "6.0.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.1.0.5",
                  "status": "affected",
                  "version": "6.1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.1.1.5",
                  "status": "affected",
                  "version": "6.1.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.6.0.1",
                  "status": "affected",
                  "version": "6.6.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 IS as Key Manager",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "5.5.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.5.0.1",
                  "status": "affected",
                  "version": "5.5.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.6.0.1",
                  "status": "affected",
                  "version": "5.6.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.7.0.1",
                  "status": "affected",
                  "version": "5.7.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.9.0.1",
                  "status": "affected",
                  "version": "5.9.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Identity Server",
              "repo": "https://github.com/wso2/product-is",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "5.4.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.4.0.1",
                  "status": "affected",
                  "version": "5.4.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.4.1.1",
                  "status": "affected",
                  "version": "5.4.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.5.0.1",
                  "status": "affected",
                  "version": "5.5.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.6.0.1",
                  "status": "affected",
                  "version": "5.6.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Micro Integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "1.0.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.0.0.1",
                  "status": "affected",
                  "version": "1.0.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information."
                }
              ],
              "value": "Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-250",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-250 XML Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611 Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-09T05:03:32.570Z",
            "orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
            "shortName": "WSO2"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.\u003cbr\u003e\u003cbr\u003eCommunity users may apply the relevant fixes to the product based on the public fix(s) advertised in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/\u003c/a\u003e\u003cbr\u003e"
                }
              ],
              "value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.\n\nCommunity users may apply the relevant fixes to the product based on the public fix(s) advertised in  https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/ https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/ \n"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
        "assignerShortName": "WSO2",
        "cveId": "CVE-2023-6836",
        "datePublished": "2023-12-15T09:26:01.323Z",
        "dateReserved": "2023-12-15T09:25:13.205Z",
        "dateUpdated": "2024-08-02T08:42:08.180Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-29548 (GCVE-0-2022-29548)

    Vulnerability from nvd – Published: 2022-04-21 00:00 – Updated: 2024-08-03 06:26
    VLAI
    Summary
    A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T06:26:06.033Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/167587/WSO2-Management-Console-Cross-Site-Scripting.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1603/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AC:L/AV:A/A:N/C:L/I:L/PR:N/S:U/UI:R",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-03T04:55:32.147Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603"
            },
            {
              "url": "http://packetstormsecurity.com/files/167587/WSO2-Management-Console-Cross-Site-Scripting.html"
            },
            {
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1603/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-29548",
        "datePublished": "2022-04-21T00:00:00.000Z",
        "dateReserved": "2022-04-21T00:00:00.000Z",
        "dateUpdated": "2024-08-03T06:26:06.033Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-17453 (GCVE-0-2020-17453)

    Vulnerability from nvd – Published: 2021-04-05 00:00 – Updated: 2024-08-04 13:53
    VLAI Shadowserver
    Summary
    WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T13:53:17.471Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://twitter.com/JacksonHHax/status/1374681422678519813"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/JHHAX/CVE-2020-17453-PoC"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1132/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-11T02:23:53.848Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://twitter.com/JacksonHHax/status/1374681422678519813"
            },
            {
              "url": "https://github.com/JHHAX/CVE-2020-17453-PoC"
            },
            {
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1132/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-17453",
        "datePublished": "2021-04-05T00:00:00.000Z",
        "dateReserved": "2020-08-09T00:00:00.000Z",
        "dateUpdated": "2024-08-04T13:53:17.471Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-11093 (GCVE-0-2025-11093)

    Vulnerability from cvelistv5 – Published: 2025-11-05 18:31 – Updated: 2025-11-05 19:39
    VLAI
    Title
    Arbitrary Code Execution with higher privileged users in Multiple WSO2 Products via Script Mediator Engines (GraalJS and NashornJS)
    Summary
    An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment. By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    WSO2 WSO2 Micro Integrator Unknown: 0 , < 4.0.0 (custom)
    Affected: 4.0.0 , < 4.0.0.145 (custom)
    Affected: 4.1.0 , < 4.1.0.147 (custom)
    Affected: 4.2.0 , < 4.2.0.141 (custom)
    Affected: 4.3.0 , < 4.3.0.42 (custom)
    Affected: 4.4.0 , < 4.4.0.27 (custom)
    Create a notification for this product.
    WSO2 WSO2 API Manager Unknown: 0 , < 3.1.0 (custom)
    Affected: 3.1.0 , < 3.1.0.345 (custom)
    Affected: 3.2.0 , < 3.2.0.446 (custom)
    Affected: 3.2.1 , < 3.2.1.66 (custom)
    Affected: 4.0.0 , < 4.0.0.366 (custom)
    Affected: 4.1.0 , < 4.1.0.228 (custom)
    Affected: 4.2.0 , < 4.2.0.169 (custom)
    Affected: 4.3.0 , < 4.3.0.81 (custom)
    Affected: 4.4.0 , < 4.4.0.45 (custom)
    Affected: 4.5.0 , < 4.5.0.28 (custom)
    Create a notification for this product.
    WSO2 WSO2 Enterprise Integrator Unknown: 0 , < 6.6.0 (custom)
    Affected: 6.6.0 , < 6.6.0.224 (custom)
    Create a notification for this product.
    WSO2 WSO2 Universal Gateway Affected: 4.5.0 , < 4.5.0.27 (custom)
    Create a notification for this product.
    WSO2 WSO2 API Control Plane Affected: 4.5.0 , < 4.5.0.29 (custom)
    Create a notification for this product.
    WSO2 WSO2 Traffic Manager Affected: 4.5.0 , < 4.5.0.27 (custom)
    Create a notification for this product.
    WSO2 WSO2 Open Banking IAM Unknown: 0 , < 2.0.0 (custom)
    Affected: 2.0.0 , < 2.0.0.414 (custom)
    Create a notification for this product.
    WSO2 WSO2 Open Banking AM Unknown: 0 , < 2.0.0 (custom)
    Affected: 2.0.0 , < 2.0.0.394 (custom)
    Create a notification for this product.
    WSO2 WSO2 Identity Server as Key Manager Unknown: 0 , < 5.10.0 (custom)
    Affected: 5.10.0 , < 5.10.0.365 (custom)
    Create a notification for this product.
    WSO2 org.apache.synapse:synapse-core Affected: 2.1.7.wso2v227 , < 2.1.7.wso2v227_99 (custom)
    Affected: 2.1.7.wso2v271 , < 2.1.7.wso2v271_88 (custom)
    Affected: 2.1.7.wso2v143 , < 2.1.7.wso2v143_121 (custom)
    Affected: 2.1.7.wso2v319 , < 2.1.7.wso2v319_13 (custom)
    Affected: 2.1.7.wso2v183 , < 2.1.7.wso2v183_72 (custom)
    Affected: 4.0.0.wso2v119 , < 4.0.0.wso2v119_27 (custom)
    Affected: 4.0.0.wso2v20 , < 4.0.0.wso2v20_93 (custom)
    Affected: 4.0.0.wso2v215 , < 4.0.0.wso2v215_26 (custom)
    Affected: 4.0.0.wso2v218 , < 4.0.0.wso2v218_1 (custom)
    Affected: 4.0.0.wso2v105 , < 4.0.0.wso2v105_13 (custom)
    Affected: 4.0.0.wso2v131 , < 4.0.0.wso2v131_5 (custom)
    Unaffected: 4.0.0-wso2v254 , ≤ * (custom)
    Create a notification for this product.
    WSO2 org.apache.synapse:synapse-extensions Affected: 2.1.7.wso2v227 , < 2.1.7.wso2v227_99 (custom)
    Affected: 2.1.7.wso2v271 , < 2.1.7.wso2v271_88 (custom)
    Affected: 2.1.7.wso2v143 , < 2.1.7.wso2v143_121 (custom)
    Affected: 2.1.7.wso2v319 , < 2.1.7.wso2v319_13 (custom)
    Affected: 2.1.7.wso2v183 , < 2.1.7.wso2v183_72 (custom)
    Affected: 4.0.0.wso2v119 , < 4.0.0.wso2v119_27 (custom)
    Affected: 4.0.0.wso2v20 , < 4.0.0.wso2v20_93 (custom)
    Affected: 4.0.0.wso2v215 , < 4.0.0.wso2v215_26 (custom)
    Affected: 4.0.0.wso2v218 , < 4.0.0.wso2v218_1 (custom)
    Affected: 4.0.0.wso2v105 , < 4.0.0.wso2v105_13 (custom)
    Affected: 4.0.0.wso2v131 , < 4.0.0.wso2v131_5 (custom)
    Unaffected: 4.0.0-wso2v254 , ≤ * (custom)
    Create a notification for this product.
    Credits
    crnković
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11093",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-05T19:14:13.042418Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-05T19:39:15.696Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Micro Integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.145",
                  "status": "affected",
                  "version": "4.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1.0.147",
                  "status": "affected",
                  "version": "4.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.2.0.141",
                  "status": "affected",
                  "version": "4.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.3.0.42",
                  "status": "affected",
                  "version": "4.3.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.0.27",
                  "status": "affected",
                  "version": "4.4.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 API Manager",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "3.1.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.1.0.345",
                  "status": "affected",
                  "version": "3.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.2.0.446",
                  "status": "affected",
                  "version": "3.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.2.1.66",
                  "status": "affected",
                  "version": "3.2.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.366",
                  "status": "affected",
                  "version": "4.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1.0.228",
                  "status": "affected",
                  "version": "4.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.2.0.169",
                  "status": "affected",
                  "version": "4.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.3.0.81",
                  "status": "affected",
                  "version": "4.3.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.4.0.45",
                  "status": "affected",
                  "version": "4.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.5.0.28",
                  "status": "affected",
                  "version": "4.5.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Enterprise Integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "6.6.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.6.0.224",
                  "status": "affected",
                  "version": "6.6.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Universal Gateway",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.5.0.27",
                  "status": "affected",
                  "version": "4.5.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 API Control Plane",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.5.0.29",
                  "status": "affected",
                  "version": "4.5.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Traffic Manager",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "4.5.0.27",
                  "status": "affected",
                  "version": "4.5.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Open Banking IAM",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0.0.414",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Open Banking AM",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0.0.394",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Identity Server as Key Manager",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "5.10.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.10.0.365",
                  "status": "affected",
                  "version": "5.10.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "packageName": "org.apache.synapse:synapse-core",
              "product": "org.apache.synapse:synapse-core",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.1.7.wso2v227_99",
                  "status": "affected",
                  "version": "2.1.7.wso2v227",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.7.wso2v271_88",
                  "status": "affected",
                  "version": "2.1.7.wso2v271",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.7.wso2v143_121",
                  "status": "affected",
                  "version": "2.1.7.wso2v143",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.7.wso2v319_13",
                  "status": "affected",
                  "version": "2.1.7.wso2v319",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.7.wso2v183_72",
                  "status": "affected",
                  "version": "2.1.7.wso2v183",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v119_27",
                  "status": "affected",
                  "version": "4.0.0.wso2v119",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v20_93",
                  "status": "affected",
                  "version": "4.0.0.wso2v20",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v215_26",
                  "status": "affected",
                  "version": "4.0.0.wso2v215",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v218_1",
                  "status": "affected",
                  "version": "4.0.0.wso2v218",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v105_13",
                  "status": "affected",
                  "version": "4.0.0.wso2v105",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v131_5",
                  "status": "affected",
                  "version": "4.0.0.wso2v131",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "*",
                  "status": "unaffected",
                  "version": "4.0.0-wso2v254",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "packageName": "org.apache.synapse:synapse-extensions",
              "product": "org.apache.synapse:synapse-extensions",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.1.7.wso2v227_99",
                  "status": "affected",
                  "version": "2.1.7.wso2v227",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.7.wso2v271_88",
                  "status": "affected",
                  "version": "2.1.7.wso2v271",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.7.wso2v143_121",
                  "status": "affected",
                  "version": "2.1.7.wso2v143",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.7.wso2v319_13",
                  "status": "affected",
                  "version": "2.1.7.wso2v319",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.7.wso2v183_72",
                  "status": "affected",
                  "version": "2.1.7.wso2v183",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v119_27",
                  "status": "affected",
                  "version": "4.0.0.wso2v119",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v20_93",
                  "status": "affected",
                  "version": "4.0.0.wso2v20",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v215_26",
                  "status": "affected",
                  "version": "4.0.0.wso2v215",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v218_1",
                  "status": "affected",
                  "version": "4.0.0.wso2v218",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v105_13",
                  "status": "affected",
                  "version": "4.0.0.wso2v105",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.0.0.wso2v131_5",
                  "status": "affected",
                  "version": "4.0.0.wso2v131",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "*",
                  "status": "unaffected",
                  "version": "4.0.0-wso2v254",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.145",
                      "versionStartIncluding": "4.0.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.1.0.147",
                      "versionStartIncluding": "4.1.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.2.0.141",
                      "versionStartIncluding": "4.2.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.3.0.42",
                      "versionStartIncluding": "4.3.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.4.0.27",
                      "versionStartIncluding": "4.4.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.1.0.345",
                      "versionStartIncluding": "3.1.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.2.0.446",
                      "versionStartIncluding": "3.2.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.2.1.66",
                      "versionStartIncluding": "3.2.1",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.366",
                      "versionStartIncluding": "4.0.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.1.0.228",
                      "versionStartIncluding": "4.1.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.2.0.169",
                      "versionStartIncluding": "4.2.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.3.0.81",
                      "versionStartIncluding": "4.3.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.4.0.45",
                      "versionStartIncluding": "4.4.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.5.0.28",
                      "versionStartIncluding": "4.5.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_enterprise_integrator:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "6.6.0.224",
                      "versionStartIncluding": "6.6.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.5.0.27",
                      "versionStartIncluding": "4.5.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.5.0.29",
                      "versionStartIncluding": "4.5.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.5.0.27",
                      "versionStartIncluding": "4.5.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.0.0.414",
                      "versionStartIncluding": "2.0.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_open_banking_am:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.0.0.394",
                      "versionStartIncluding": "2.0.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "5.10.0.365",
                      "versionStartIncluding": "5.10.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v227_99",
                      "versionStartIncluding": "2.1.7.wso2v227",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v271_88",
                      "versionStartIncluding": "2.1.7.wso2v271",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v143_121",
                      "versionStartIncluding": "2.1.7.wso2v143",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v319_13",
                      "versionStartIncluding": "2.1.7.wso2v319",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v183_72",
                      "versionStartIncluding": "2.1.7.wso2v183",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v119_27",
                      "versionStartIncluding": "4.0.0.wso2v119",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v20_93",
                      "versionStartIncluding": "4.0.0.wso2v20",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v215_26",
                      "versionStartIncluding": "4.0.0.wso2v215",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v218_1",
                      "versionStartIncluding": "4.0.0.wso2v218",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v105_13",
                      "versionStartIncluding": "4.0.0.wso2v105",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v131_5",
                      "versionStartIncluding": "4.0.0.wso2v131",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "*",
                      "versionStartIncluding": "4.0.0-wso2v254",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v227_99",
                      "versionStartIncluding": "2.1.7.wso2v227",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v271_88",
                      "versionStartIncluding": "2.1.7.wso2v271",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v143_121",
                      "versionStartIncluding": "2.1.7.wso2v143",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v319_13",
                      "versionStartIncluding": "2.1.7.wso2v319",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "2.1.7.wso2v183_72",
                      "versionStartIncluding": "2.1.7.wso2v183",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v119_27",
                      "versionStartIncluding": "4.0.0.wso2v119",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v20_93",
                      "versionStartIncluding": "4.0.0.wso2v20",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v215_26",
                      "versionStartIncluding": "4.0.0.wso2v215",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v218_1",
                      "versionStartIncluding": "4.0.0.wso2v218",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v105_13",
                      "versionStartIncluding": "4.0.0.wso2v105",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "4.0.0.wso2v131_5",
                      "versionStartIncluding": "4.0.0.wso2v131",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "*",
                      "versionStartIncluding": "4.0.0-wso2v254",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "crnkovi\u0107"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment.\u003cbr\u003e\u003cbr\u003eBy default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.\u003cbr\u003e"
                }
              ],
              "value": "An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment.\n\nBy default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-05T18:34:04.737Z",
            "orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
            "shortName": "WSO2"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
                }
              ],
              "value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/#solution"
            }
          ],
          "source": {
            "advisory": "WSO2-2025-4510",
            "discovery": "EXTERNAL"
          },
          "title": "Arbitrary Code Execution with higher privileged users in Multiple WSO2 Products via Script Mediator Engines (GraalJS and NashornJS)",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
        "assignerShortName": "WSO2",
        "cveId": "CVE-2025-11093",
        "datePublished": "2025-11-05T18:31:17.873Z",
        "dateReserved": "2025-09-27T07:10:05.485Z",
        "dateUpdated": "2025-11-05T19:39:15.696Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4598 (GCVE-0-2024-4598)

    Vulnerability from cvelistv5 – Published: 2025-09-23 10:39 – Updated: 2025-09-23 19:35
    VLAI
    Title
    Information Disclosure in Multiple WSO2 Products Due to Improper Handling in Enrich Mediator
    Summary
    An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from other mediation contexts because the internal state is not properly isolated or cleared between executions. This vulnerability does not impact user credentials or access tokens but may lead to leakage of sensitive business information handled during message flows.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1259 - Improper Restriction of Security Token Assignment
    Assigner
    References
    Impacted products
    Vendor Product Version
    WSO2 WSO2 API Manager Unknown: 0 , < 3.2.0 (custom)
    Affected: 3.2.0 , < 3.2.0.422 (custom)
    Affected: 3.2.1 , < 3.2.1.42 (custom)
    Affected: 4.1.0 , < 4.1.0.152 (custom)
    Affected: 4.3.0 , < 4.3.0.55 (custom)
    Create a notification for this product.
    WSO2 WSO2 Micro Integrator Unknown: 0 , < 1.2.0 (custom)
    Affected: 1.2.0 , < 1.2.0.157 (custom)
    Affected: 4.1.0 , < 4.1.0.95 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4598",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-23T19:35:13.107728Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1259",
                    "description": "CWE-1259 Improper Restriction of Security Token Assignment",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-23T19:35:33.987Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 API Manager",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "3.2.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.2.0.422",
                  "status": "affected",
                  "version": "3.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.2.1.42",
                  "status": "affected",
                  "version": "3.2.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1.0.152",
                  "status": "affected",
                  "version": "4.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.3.0.55",
                  "status": "affected",
                  "version": "4.3.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Micro Integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "1.2.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.2.0.157",
                  "status": "affected",
                  "version": "1.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.1.0.95",
                  "status": "affected",
                  "version": "4.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from other mediation contexts because the internal state is not properly isolated or cleared between executions.\u003cbr\u003e\u003cbr\u003eThis vulnerability does not impact user credentials or access tokens but may lead to leakage of sensitive business information handled during message flows."
                }
              ],
              "value": "An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from other mediation contexts because the internal state is not properly isolated or cleared between executions.\n\nThis vulnerability does not impact user credentials or access tokens but may lead to leakage of sensitive business information handled during message flows."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-23T10:39:16.195Z",
            "orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
            "shortName": "WSO2"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3355/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3355/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3355/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
                }
              ],
              "value": "Follow the instructions given on  https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3355/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3355/#solution"
            }
          ],
          "source": {
            "advisory": "WSO2-2024-3355",
            "discovery": "INTERNAL"
          },
          "title": "Information Disclosure in Multiple WSO2 Products Due to Improper Handling in Enrich Mediator",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
        "assignerShortName": "WSO2",
        "cveId": "CVE-2024-4598",
        "datePublished": "2025-09-23T10:39:16.195Z",
        "dateReserved": "2024-05-07T06:40:12.013Z",
        "dateUpdated": "2025-09-23T19:35:33.987Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6836 (GCVE-0-2023-6836)

    Vulnerability from cvelistv5 – Published: 2023-12-15 09:26 – Updated: 2024-08-02 08:42
    VLAI
    Summary
    Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    WSO2 WSO2 API Manager Unknown: 0 , < 3.0.0.0 (custom)
    Affected: 3.0.0.0 , < 3.0.0.1 (custom)
    Create a notification for this product.
    WSO2 WSO2 API Manager Analytics Unknown: 0 , < 2.2.0.0 (custom)
    Affected: 2.2.0.0 , < 2.2.0.1 (custom)
    Affected: 2.5.0.0 , < 2.5.0.1 (custom)
    Create a notification for this product.
    WSO2 WSO2 API Microgateway Unknown: 0 , < 2.2.0.0 (custom)
    Affected: 2.2.0.0 , < 2.2.0.1 (custom)
    Create a notification for this product.
    WSO2 WSO2 Enterprise Integrator Unknown: 0 , < 6.0.0.2 (custom)
    Affected: 6.0.0.0 , < 6.0.0.3 (custom)
    Affected: 6.1.0.0 , < 6.1.0.5 (custom)
    Affected: 6.1.1.0 , < 6.1.1.5 (custom)
    Affected: 6.6.0.0 , < 6.6.0.1 (custom)
    Create a notification for this product.
    WSO2 WSO2 IS as Key Manager Unknown: 0 , < 5.5.0.0 (custom)
    Affected: 5.5.0.0 , < 5.5.0.1 (custom)
    Affected: 5.6.0.0 , < 5.6.0.1 (custom)
    Affected: 5.7.0.0 , < 5.7.0.1 (custom)
    Affected: 5.9.0.0 , < 5.9.0.1 (custom)
    Create a notification for this product.
    WSO2 WSO2 Identity Server Unknown: 0 , < 5.4.0.0 (custom)
    Affected: 5.4.0.0 , < 5.4.0.1 (custom)
    Affected: 5.4.1.0 , < 5.4.1.1 (custom)
    Affected: 5.5.0.0 , < 5.5.0.1 (custom)
    Affected: 5.6.0.0 , < 5.6.0.1 (custom)
    Create a notification for this product.
    WSO2 WSO2 Micro Integrator Unknown: 0 , < 1.0.0.0 (custom)
    Affected: 1.0.0.0 , < 1.0.0.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:42:08.180Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 API Manager ",
              "repo": "https://github.com/wso2/product-apim",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "3.0.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.0.0.1",
                  "status": "affected",
                  "version": "3.0.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 API Manager Analytics",
              "repo": "https://github.com/wso2/analytics-apim",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.2.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.2.0.1",
                  "status": "affected",
                  "version": "2.2.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.5.0.1",
                  "status": "affected",
                  "version": "2.5.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 API Microgateway",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "2.2.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.2.0.1",
                  "status": "affected",
                  "version": "2.2.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Enterprise Integrator",
              "repo": "https://github.com/wso2/product-ei",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "6.0.0.2",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.0.0.3",
                  "status": "affected",
                  "version": "6.0.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.1.0.5",
                  "status": "affected",
                  "version": "6.1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.1.1.5",
                  "status": "affected",
                  "version": "6.1.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.6.0.1",
                  "status": "affected",
                  "version": "6.6.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 IS as Key Manager",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "5.5.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.5.0.1",
                  "status": "affected",
                  "version": "5.5.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.6.0.1",
                  "status": "affected",
                  "version": "5.6.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.7.0.1",
                  "status": "affected",
                  "version": "5.7.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.9.0.1",
                  "status": "affected",
                  "version": "5.9.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Identity Server",
              "repo": "https://github.com/wso2/product-is",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "5.4.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.4.0.1",
                  "status": "affected",
                  "version": "5.4.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.4.1.1",
                  "status": "affected",
                  "version": "5.4.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.5.0.1",
                  "status": "affected",
                  "version": "5.5.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.6.0.1",
                  "status": "affected",
                  "version": "5.6.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Micro Integrator",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "1.0.0.0",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.0.0.1",
                  "status": "affected",
                  "version": "1.0.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information."
                }
              ],
              "value": "Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-250",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-250 XML Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611 Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-09T05:03:32.570Z",
            "orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
            "shortName": "WSO2"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.\u003cbr\u003e\u003cbr\u003eCommunity users may apply the relevant fixes to the product based on the public fix(s) advertised in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/\u003c/a\u003e\u003cbr\u003e"
                }
              ],
              "value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.\n\nCommunity users may apply the relevant fixes to the product based on the public fix(s) advertised in  https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/ https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/ \n"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
        "assignerShortName": "WSO2",
        "cveId": "CVE-2023-6836",
        "datePublished": "2023-12-15T09:26:01.323Z",
        "dateReserved": "2023-12-15T09:25:13.205Z",
        "dateUpdated": "2024-08-02T08:42:08.180Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-29548 (GCVE-0-2022-29548)

    Vulnerability from cvelistv5 – Published: 2022-04-21 00:00 – Updated: 2024-08-03 06:26
    VLAI
    Summary
    A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T06:26:06.033Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/167587/WSO2-Management-Console-Cross-Site-Scripting.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1603/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AC:L/AV:A/A:N/C:L/I:L/PR:N/S:U/UI:R",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-03T04:55:32.147Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603"
            },
            {
              "url": "http://packetstormsecurity.com/files/167587/WSO2-Management-Console-Cross-Site-Scripting.html"
            },
            {
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1603/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-29548",
        "datePublished": "2022-04-21T00:00:00.000Z",
        "dateReserved": "2022-04-21T00:00:00.000Z",
        "dateUpdated": "2024-08-03T06:26:06.033Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-17453 (GCVE-0-2020-17453)

    Vulnerability from cvelistv5 – Published: 2021-04-05 00:00 – Updated: 2024-08-04 13:53
    VLAI Shadowserver
    Summary
    WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T13:53:17.471Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://twitter.com/JacksonHHax/status/1374681422678519813"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/JHHAX/CVE-2020-17453-PoC"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1132/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-11T02:23:53.848Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://twitter.com/JacksonHHax/status/1374681422678519813"
            },
            {
              "url": "https://github.com/JHHAX/CVE-2020-17453-PoC"
            },
            {
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1132/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-17453",
        "datePublished": "2021-04-05T00:00:00.000Z",
        "dateReserved": "2020-08-09T00:00:00.000Z",
        "dateUpdated": "2024-08-04T13:53:17.471Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }