Reflected Cross-Site Scripting Vulnerability in WSO2 Products
CVE-2024-5848

6.1MEDIUM

Key Information:

Vendor
Wso2
Status
Wso2 Api Manager
Wso2 Open Banking Am
Vendor
CVE Published:
27 February 2025

Summary

A reflected cross-site scripting (XSS) vulnerability affects several WSO2 products, stemming from improper input validation practices. Malicious user-supplied data is incorporated into server responses from vulnerable service endpoints without adequate sanitization or encoding. This weakness enables attackers to craft harmful JavaScript payloads. Exploitation of this flaw may facilitate UI manipulation, unwarranted redirections to nefarious websites, or unauthorized data access from the user's browser. Although session-related sensitive cookies possess the httpOnly flag to mitigate session hijacking risks, the impact could differ based on the gateway-level service restrictions implemented.

Affected Version(s)

WSO2 API Manager 3.1.0 < 3.1.0.285

WSO2 API Manager 3.2.0 < 3.2.0.375

WSO2 API Manager 3.2.1 < 3.2.1.10

References

https://security.docs.wso2.com/en/latest/security-announc...
vendor-advisory

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.