Cross-Site Scripting Vulnerability in WSO2 Product
CVE-2024-10242

6.1MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Api Manager
Vendor: CVE Published:; 16 April 2026

What is CVE-2024-10242?

The vulnerability arises from inadequate validation of user-supplied input at the authentication endpoint in WSO2 API Manager. This oversight allows attackers to inject malicious scripts into the input parameters, which are then executed in the context of the victim's browser. Although the exploit can enable a broad range of attacks, including redirecting users to malicious sites or altering web page appearances, the risk is somewhat mitigated by the protection offered by the httpOnly flag on sensitive session cookies, which helps prevent session hijacking.

Affected Version(s)

WSO2 API Manager 3.2.0 < 3.2.0.401

WSO2 API Manager 4.0.0 < 4.0.0.318

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Oct 22, 2024

CVE-2024-10242 Data

JSON

Wso2

What is CVE-2024-10242?

Affected Version(s)

References

CVSS V3.1

Timeline