CVE-2024-10242
published 2026-04-16CVE-2024-10242: The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject…
PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.24%
14.9th percentile
The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser.
Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | api_manager | >= 3.2.0 < 3.2.0.401 | 3.2.0.401 |
| wso2 | api_manager | >= 4.0.0 < 4.0.0.318 | 4.0.0.318 |
| wso2 | wso2_api_manager | >= 3.2.0 < 3.2.0.401 | 3.2.0.401 |
| wso2 | wso2_api_manager | >= 4.0.0 < 4.0.0.318 | 4.0.0.318 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6f87-4ph2-cp38: The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response
ghsa_unreviewed·2026-04-16
CVE-2024-10242 [MEDIUM] CWE-79 GHSA-6f87-4ph2-cp38: The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response
The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser.
Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.
VulDB
WSO2 API Manager prior 3.2.0.401/4.0.0.318 Authentication Endpoint cross site scripting (EUVD-2024-55545)
vuldb·2026-04-16·CVSS 6.1
CVE-2024-10242 [MEDIUM] WSO2 API Manager prior 3.2.0.401/4.0.0.318 Authentication Endpoint cross site scripting (EUVD-2024-55545)
A vulnerability classified as problematic was found in WSO2 API Manager. This vulnerability affects unknown code of the component Authentication Endpoint. Executing a manipulation can lead to cross site scripting.
This vulnerability is registered as CVE-2024-10242. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-16
Published