Stored Cross-Site Scripting Vulnerability in WSO2 Management Console
CVE-2024-3509

4.3MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Enterprise Integrator; Wso2 Api Manager; Wso2 Open Banking Am; Wso2 Open Banking Iam
Vendor: CVE Published:; 2 June 2025

What is CVE-2024-3509?

A stored cross-site scripting (XSS) vulnerability has been identified within the Management Console of various WSO2 products. This issue arises from inadequate input validation within the Rich Text Editor in the registry section, allowing an attacker with administrative access to inject persistent JavaScript payloads. Such exploitation could facilitate the theft of sensitive user data or the execution of unauthorized actions on behalf of other users. Although this vulnerability enables persistent client-side script execution, session-related cookies are safeguarded with the httpOnly flag, mitigating the risk of session hijacking.

Affected Version(s)

WSO2 API Manager 3.1.0 < 3.1.0.275

WSO2 API Manager 3.2.0 < 3.2.0.392

WSO2 API Manager 3.2.1 < 3.2.1.19

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2025
Vulnerability Reserved
Apr 9, 2024

Wso2

What is CVE-2024-3509?

Affected Version(s)

References

CVSS V3.1

Timeline