Latest wso2 api manager Vulnerabilities

CVE-2023-6911
Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload in...
WSO2 API Manager=2.2.0
WSO2 API Manager=2.5.0
WSO2 API Manager=2.6.0
WSO2 API Manager=3.0.0
WSO2 API Manager=3.1.0
WSO2 API Manager=3.2.0
and 30 more
CVE-2023-6839
Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response.
WSO2 API Manager=3.0.0
WSO2 API Manager=3.1.0
WSO2 API Manager=3.2.0
WSO2 API Manager=4.0.0
CVE-2023-6838
Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests.
WSO2 API Manager=3.1.0
WSO2 API Manager=3.2.0
WSO2 Identity Server as Key Manager=5.10.0
WSO2 Identity Server=5.10.0
CVE-2023-6837
Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditi...
maven/org.wso2.identity.apps:authentication-portal<1.6.179.1
maven/org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.authentication.framework<5.20.254
WSO2 API Manager=2.5.0
WSO2 API Manager=2.6.0
WSO2 API Manager=3.0.0
WSO2 API Manager=3.1.0
and 28 more
CVE-2023-6836
Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.
WSO2 API Manager<=3.0.0
Wso2 Api Manager Analytics=2.2.0
Wso2 Api Manager Analytics=2.5.0
WSO2 API Microgateway=2.2.0
WSO2 Enterprise Integrator<=6.6.0
WSO2 Identity Server as Key Manager=5.0.0
and 14 more
CVE-2023-6835
Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated.
maven/org.wso2.carbon.apimgt:forum<=9.0.78
WSO2 API Manager=2.2.0
WSO2 API Manager=2.5.0
WSO2 API Manager=2.6.0
Wso2 Iot Server=3.3.1
=2.2.0
and 3 more
CVE-2023-31664
A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payloa...
WSO2 API Manager<4.2.0
CVE-2021-42646
XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Mana...
WSO2 API Manager=2.6.0
WSO2 API Manager=3.0.0
WSO2 API Manager=3.1.0
WSO2 API Manager=3.2.0
WSO2 API Manager=4.0.0
WSO2 Identity Server=5.7.0
and 7 more
CVE-2022-29548
WSO2 API Manager=2.2.0
WSO2 API Manager=2.5.0
WSO2 API Manager=2.6.0
WSO2 API Manager=3.0.0
WSO2 API Manager=3.1.0
WSO2 API Manager=3.2.0
and 25 more
CVE-2022-29464
WSO2 Multiple Products Unrestrictive Upload of File Vulnerability
WSO2 API Manager>=2.2.0<=4.0.0
WSO2 Enterprise Integrator>=6.2.0<=6.6.0
WSO2 Identity Server>=5.2.0<=5.11.0
WSO2 Identity Server Analytics=5.4.0
WSO2 Identity Server Analytics=5.4.1
WSO2 Identity Server Analytics=5.5.0
and 3 more
CVE-2021-36760
In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callb...
WSO2 API Manager=3.0.0
WSO2 API Manager=3.1.0
WSO2 API Manager=3.2.0
WSO2 API Manager=4.0.0
WSO2 Identity Server=5.7.0
WSO2 Identity Server=5.8.0
and 10 more
CVE-2020-17453
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
<=3.2.0
=2.2.0
=2.5.0
=2.6.0
=2.2.0
<=6.6.0
and 28 more
CVE-2020-27885
WSO2 API Manager=3.1.0
CVE-2020-17454
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does n...
WSO2 API Manager<=3.1.0
CVE-2020-24706
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity ...
<=3.1.0
=2.5.0
<=5.10.0
<=5.6.0
<=5.10.0
=3.1.0
and 6 more
CVE-2020-24705
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Sess...
<=3.1.0
=2.5.0
<=5.10.0
<=5.6.0
<=5.10.0
=3.1.0
and 6 more
CVE-2020-24703
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Sess...
=2.2.0
=2.2.0
=2.2.0
=3.2.0
<=6.6.0
=5.5.0
and 16 more
CVE-2020-24704
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0...
=2.2.0
=2.2.0
=2.2.0
=3.2.0
<=6.6.0
=5.5.0
and 16 more
CVE-2020-24590
The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML Entity Expansion attacks.
WSO2 API Manager<=3.1.0
WSO2 API Microgateway=2.2.0
CVE-2020-24591
The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, ...
WSO2 API Manager<=3.0.0
Wso2 Api Manager Analytics=2.2.0
Wso2 Api Manager Analytics=2.5.0
WSO2 API Microgateway=2.2.0
WSO2 Enterprise Integrator=6.2.0
WSO2 Enterprise Integrator=6.3.0
and 1 more
CVE-2020-24589
The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks.
WSO2 API Manager<=3.1.0
WSO2 API Microgateway=2.2.0
CVE-2020-13883
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
WSO2 API Manager<=3.0.0
WSO2 API Microgateway=2.2.0
WSO2 Identity Server as Key Manager<=5.9.0
CVE-2020-13226
WSO2 API Manager 3.0.0 does not properly restrict outbound network access from a Publisher node, opening up the possibility of SSRF to this node's entire intranet.
maven/org.wso2.am:am-parent<=3.0.0
WSO2 API Manager=3.0.0
CVE-2020-12719
XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 ...
WSO2 API Manager<=3.0.0
Wso2 Api Manager Analytics<=2.5.0
WSO2 API Microgateway=2.2.0
WSO2 Enterprise Integrator<=6.4.0
WSO2 Identity Server<=5.9.0
WSO2 Identity Server Analytics<=5.6.0
and 1 more
CVE-2019-20439
An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in defining a scope in the "manage the API" page of the API Publis...
WSO2 API Manager=2.6.0
CVE-2019-20438
An issue was discovered in WSO2 API Manager 2.6.0. A potential stored Cross-Site Scripting (XSS) vulnerability has been identified in the inline API documentation editor page of the API Publisher.
WSO2 API Manager=2.6.0
CVE-2019-20437
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. When a custom claim dialect with an XSS payload is configured in the identity provider ...
WSO2 API Manager=2.6.0
WSO2 Identity Server=5.7.0
WSO2 Identity Server=5.8.0
CVE-2019-20435
An issue was discovered in WSO2 API Manager 2.6.0. A reflected XSS attack could be performed in the inline API documentation editor page of the API Publisher by sending an HTTP GET request with a harm...
WSO2 API Manager=2.6.0
CVE-2019-20436
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a us...
WSO2 API Manager=2.6.0
WSO2 Identity Server=5.7.0
WSO2 Identity Server=5.8.0
CVE-2019-20434
An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Datasource creation page of the Management Console.
WSO2 API Manager=2.6.0
CVE-2019-20443
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnera...
WSO2 API Manager=2.6.0
WSO2 Enterprise Integrator=6.5.0
WSO2 Identity Server=5.7.0
WSO2 Identity Server=5.8.0
CVE-2019-20440
WSO2 API Manager=2.6.0
CVE-2019-20441
An issue was discovered in WSO2 API Manager 2.6.0. A potential Stored Cross-Site Scripting (XSS) vulnerability has been identified in the 'implement phase' of the API Publisher.
WSO2 API Manager=2.6.0
CVE-2019-15108
An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS via a crafted filename to the file-upload feature of the event simulator component.
WSO2 API Manager<=2.6.0
CVE-2019-6513
An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one.
WSO2 API Manager=2.6.0
CVE-2019-6515
An issue was discovered in WSO2 API Manager 2.6.0. Uploaded documents for API documentation are available to an unauthenticated user.
WSO2 API Manager=2.6.0
CVE-2019-6512
An issue was discovered in WSO2 API Manager 2.6.0. It is possible to force the application to perform requests to the internal workstation (SSRF port-scanning), other adjacent workstations (SSRF netwo...
WSO2 API Manager=2.6.0
CVE-2018-20736
An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. A DOM-based XSS exists in the store part of the product.
WSO2 API Manager=2.6.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203