Stored Cross-Site Scripting Vulnerability in WSO2 Management Console
CVE-2023-6911

4.8MEDIUM

Key Information:

Vendor: WSO2
Status: WSO2 API Manager; WSO2 API Manager Analytics; WSO2 API Microgateway; WSO2 Data Analytics Server
Vendor: CVE Published:; 18 December 2023

What is CVE-2023-6911?

Multiple WSO2 products exhibit vulnerabilities due to improper output encoding, allowing an attacker to execute a Stored Cross-Site Scripting (XSS) attack. By injecting a malicious payload into the Registry feature of the Management Console, an attacker could manipulate the application to execute harmful scripts in the context of users accessing the affected application, jeopardizing sensitive data and user sessions.

Affected Version(s)

WSO2 API Manager 2.2.0.0 < 2.2.0.1

WSO2 API Manager 2.5.0.0 < 2.5.0.1

WSO2 API Manager 2.6.0.0 < 2.6.0.1

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 18, 2023
Vulnerability Reserved
Dec 18, 2023