Description
An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users. A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected products
- WSO2 / WSO2 API Control Plane4.5.0 – 4.5.0.8
- WSO2 / WSO2 API Manager3.2.0 – 3.2.0.428
- WSO2 / WSO2 API Manager3.2.1 – 3.2.1.48
- WSO2 / WSO2 API Manager4.1.0 – 4.1.0.209
- WSO2 / WSO2 API Manager0 – 3.2.0
- WSO2 / WSO2 API Manager4.3.0 – 4.3.0.60
- WSO2 / WSO2 API Manager4.4.0 – 4.4.0.23
- WSO2 / WSO2 API Manager4.5.0 – 4.5.0.7
- WSO2 / WSO2 API Manager4.2.0 – 4.2.0.145
- WSO2 / WSO2 Carbon API Management API9.31.117 – *
- WSO2 / WSO2 Carbon API Management API9.30.67 – 9.30.67.80
- WSO2 / WSO2 Carbon API Management API9.31.86 – 9.31.86.30
- WSO2 / WSO2 Carbon API Management API6.7.206 – 6.7.206.559
- WSO2 / WSO2 Carbon API Management API6.7.210 – 6.7.210.48
- WSO2 / WSO2 Carbon API Management API9.20.74 – 9.20.74.365
- WSO2 / WSO2 Carbon API Management API9.28.116 – 9.28.116.321
- WSO2 / WSO2 Carbon API Management API9.29.120 – 9.29.120.163
- WSO2 / WSO2 Traffic Manager4.5.0 – 4.5.0.7
- WSO2 / WSO2 Universal Gateway4.5.0 – 4.5.0.7