Reflected XSS Vulnerability in WSO2 Products
CVE-2024-8008

5.2MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Enterprise Integrator; Wso2 Api Manager; Wso2 Identity Server As Key Manager; Wso2 Identity Server
Vendor: CVE Published:; 2 June 2025

What is CVE-2024-8008?

A reflected cross-site scripting vulnerability in WSO2 products arises from inadequate output encoding in error messages during JDBC user store connection validation. This vulnerability can allow an attacker to inject harmful scripts into the affected requests, resulting in the execution of arbitrary JavaScript code in the browser context. Such exploitation may facilitate UI manipulation, redirection to harmful sites, or extraction of sensitive data from the browser. It's important to note that while session-related cookies are protected with the httpOnly flag, mitigating risks of session hijacking, user data still remains at risk.

Affected Version(s)

WSO2 API Manager 3.1.0 < 3.1.0.305

WSO2 API Manager 3.2.0 < 3.2.0.396

WSO2 API Manager 3.2.1 < 3.2.1.28

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

5.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2025
Vulnerability Reserved
Aug 20, 2024

Wso2

What is CVE-2024-8008?

Affected Version(s)

References

CVSS V3.1

Timeline