CVE-2025-4760
published 2025-09-23CVE-2025-4760: An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API…
PriorityP422medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.17%
7.0th percentile
An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users.
A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.
Affected
34 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 0 < 5.4.301 | 5.4.301 |
| linux | linux_kernel | >= 5.11.0 < 5.15.195 | 5.15.195 |
| linux | linux_kernel | >= 5.16.0 < 6.1.156 | 6.1.156 |
| linux | linux_kernel | >= 5.5.0 < 5.10.246 | 5.10.246 |
| linux | linux_kernel | >= 6.13.0 < 6.17.3 | 6.17.3 |
| linux | linux_kernel | >= 6.2.0 < 6.6.112 | 6.6.112 |
| linux | linux_kernel | >= 6.7.0 < 6.12.53 | 6.12.53 |
| wso2 | api_control_plane | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | traffic_manager | — | — |
| wso2 | universal_gateway | — | — |
| wso2 | wso2_api_control_plane | >= 4.5.0 < 4.5.0.8 | 4.5.0.8 |
| wso2 | wso2_api_manager | >= 3.2.0 < 3.2.0.428 | 3.2.0.428 |
| wso2 | wso2_api_manager | >= 3.2.1 < 3.2.1.48 | 3.2.1.48 |
| wso2 | wso2_api_manager | >= 4.1.0 < 4.1.0.209 | 4.1.0.209 |
| wso2 | wso2_api_manager | >= 4.2.0 < 4.2.0.145 | 4.2.0.145 |
| wso2 | wso2_api_manager | >= 4.3.0 < 4.3.0.60 | 4.3.0.60 |
| wso2 | wso2_api_manager | >= 4.4.0 < 4.4.0.23 | 4.4.0.23 |
| wso2 | wso2_api_manager | >= 4.5.0 < 4.5.0.7 | 4.5.0.7 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
pps: fix warning in pps_register_cdev when register device fail
osv·2025-10-28
CVE-2025-40070 pps: fix warning in pps_register_cdev when register device fail
pps: fix warning in pps_register_cdev when register device fail
In the Linux kernel, the following vulnerability has been resolved:
pps: fix warning in pps_register_cdev when register device fail
Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error
handling in __video_register_device()"), the release hook should be set
before device_register(). Otherwise, when device_register() return error
and put_device() try to callback the release function, the below warning
may happen.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567
Modules linked in:
CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE
RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567
Call
OSV
WSO2 carbon-apimgt affected by an authenticated stored cross-site scripting (XSS) vulnerability
osv·2025-09-23
CVE-2025-4760 [MEDIUM] WSO2 carbon-apimgt affected by an authenticated stored cross-site scripting (XSS) vulnerability
WSO2 carbon-apimgt affected by an authenticated stored cross-site scripting (XSS) vulnerability
An authenticated stored Cross-Site Scripting (XSS) vulnerability exists in WSO2 API Manager components (`carbon-apimgt`) due to insufficient validation of user-supplied input during API document upload in the Publisher portal.
A user with publisher privileges can upload a crafted API document whose contents are later rendered in the UI for other users, leading to attacker-controlled script execution. Likely outcomes include redirection to malicious sites, unauthorized UI modifications, or exfiltration of data accessible to the browser; session hijacking is mitigated by the use of `HttpOnly` session cookies.
To remediate, update to version 9.31.117 or above.
GHSA
WSO2 carbon-apimgt affected by an authenticated stored cross-site scripting (XSS) vulnerability
ghsa·2025-09-23
CVE-2025-4760 [MEDIUM] CWE-79 WSO2 carbon-apimgt affected by an authenticated stored cross-site scripting (XSS) vulnerability
WSO2 carbon-apimgt affected by an authenticated stored cross-site scripting (XSS) vulnerability
An authenticated stored Cross-Site Scripting (XSS) vulnerability exists in WSO2 API Manager components (`carbon-apimgt`) due to insufficient validation of user-supplied input during API document upload in the Publisher portal.
A user with publisher privileges can upload a crafted API document whose contents are later rendered in the UI for other users, leading to attacker-controlled script execution. Likely outcomes include redirection to malicious sites, unauthorized UI modifications, or exfiltration of data accessible to the browser; session hijacking is mitigated by the use of `HttpOnly` session cookies.
To remediate, update to version 9.31.117 or above.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-23
Published