CVE-2022-29548
published 2022-04-21CVE-2022-29548: A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0…
PriorityP353medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
40.48%
98.5th percentile
A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager_analytics | — | — |
| wso2 | api_manager_analytics | — | — |
| wso2 | api_manager_analytics | — | — |
| wso2 | api_microgateway | — | — |
| wso2 | data_analytics_server | — | — |
| wso2 | enterprise_integrator | — | — |
| wso2 | enterprise_integrator | — | — |
| wso2 | enterprise_integrator | — | — |
| wso2 | enterprise_integrator | — | — |
| wso2 | enterprise_integrator | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server_analytics | — | — |
| wso2 | identity_server_analytics | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
CARBON.showWarningDialog('???');alert(document.domain)//???- →Look for GET requests to /carbon/admin/login.jsp with both 'loginStatus=false' and 'errorCode=' parameters containing URL-encoded single-quote and JavaScript injection patterns (e.g., %27);). ↗
- →Use the Google dork inurl:"carbon/admin/login" to identify exposed WSO2 Management Console instances. ↗
- →The XSS payload is injected via the 'errorCode' query parameter and reflected back unsanitized in the response body within a CARBON.showWarningDialog() JavaScript call. ↗
- →Identify vulnerable WSO2 instances via Shodan favicon hash 1398055326 or FOFA icon_hash=1398055326. ↗
- ·The vulnerability is unauthenticated and requires no prior login; exploitation only requires user interaction (victim clicking a crafted link), making it suitable for phishing-based delivery. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)
exploitdb·2022-06-27·CVSS 4.6
CVE-2022-29548 [MEDIUM] WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)
WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)
---
# Exploit Title: WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)
# Date: 21 Apr 2022
# Exploit Author: cxosmo
# Vendor Homepage: https://wso2.com
# Software Link: API Manager (https://wso2.com/api-manager/), Identity Server (https://wso2.com/identity-server/), Enterprise Integrator (https://wso2.com/integration/)
# Affected Version(s): API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 and 4.0.0;
# API Manager Analytics 2.2.0, 2.5.0, and 2.6.0;
# API Microgateway 2.2.0;
# Data Analytics Server 3.2.0;
# Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0;
# IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0;
# Identity Se
Nuclei
WSO2 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2022-29548 [MEDIUM] WSO2 - Cross-Site Scripting
WSO2 - Cross-Site Scripting
WSO2 contains a reflected cross-site scripting vulnerability in the Management Console of API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.
Template:
id: CVE-2022-29548
info:
name: WSO2 - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
WSO2 contains a reflected cross-site scripting vulnerability in the Management Console of API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
HackerOne
Reflected XSS on Amazon EC2 Instance
hackerone·2024-12-24·CVSS 4.6
CVE-2022-29548 [MEDIUM] Reflected XSS on Amazon EC2 Instance
Reflected XSS on Amazon EC2 Instance
Product: Amazon Elastic Compute Cloud (Amazon EC2)
Vulnerability Type: Reflected Cross-Site Scripting (XSS)
CVE: CVE-2022-29548
Severity: Medium
Description:
A reflected XSS vulnerability was discovered on the Amazon EC2 instance, allowing an attacker to inject malicious JavaScript code, potentially leading to unauthorized access to sensitive data or system compromise.
Proof of Concept:
URL: ███████);alert(document.domain)//
## Impact
## The payload is injected into the errorCode parameter, which is reflected back to the user without proper validation or sanitization. This allows an attacker to execute arbitrary JavaScript code in the context of the vulnerable page
http://packetstormsecurity.com/files/167587/WSO2-Management-Console-Cross-Site-Scripting.htmlhttps://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1603/http://packetstormsecurity.com/files/167587/WSO2-Management-Console-Cross-Site-Scripting.htmlhttps://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1603/
2022-04-21
Published