Reflected XSS Vulnerability in WSO2 Products
CVE-2024-8008

5.2MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Enterprise Integrator; Wso2 Api Manager; Wso2 Identity Server As Key Manager; Wso2 Identity Server
Vendor: CVE Published:; 2 June 2025

What is CVE-2024-8008?

A reflected cross-site scripting vulnerability in WSO2 products arises from inadequate output encoding in error messages during JDBC user store connection validation. This vulnerability can allow an attacker to inject harmful scripts into the affected requests, resulting in the execution of arbitrary JavaScript code in the browser context. Such exploitation may facilitate UI manipulation, redirection to harmful sites, or extraction of sensitive data from the browser. It's important to note that while session-related cookies are protected with the httpOnly flag, mitigating risks of session hijacking, user data still remains at risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WSO2 API Control Plane 4.5.0 < 4.5.0.17

WSO2 API Manager 3.1.0 < 3.1.0.305

WSO2 API Manager 3.2.0 < 3.2.0.396

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

5.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 2, 2025
Vulnerability Reserved
Aug 20, 2024

JSON

Wso2