cbcvebase.

Wso2 Api Manager vulnerabilities

79 known vulnerabilities affecting wso2/api_manager.

Total CVEs
79
CISA KEV
1
actively exploited
Public exploits
8
Exploited in wild
5
Severity breakdown
CRITICAL13HIGH15MEDIUM51

Vulnerabilities

Page 3 of 4
CVE-2019-6515P4MEDIUMCVSS 5.3v2.6.02019-05-14
CVE-2019-6515 [MEDIUM] CVE-2019-6515: An issue was discovered in WSO2 API Manager 2.6.0. Uploaded documents for API documentation are avai An issue was discovered in WSO2 API Manager 2.6.0. Uploaded documents for API documentation are available to an unauthenticated user.
nvd
CVE-2024-10242P4MEDIUMCVSS 6.1≥ 3.2.0, < 3.2.0.401≥ 4.0.0, < 4.0.0.3182026-04-16
CVE-2024-10242 [MEDIUM] CWE-79 CVE-2024-10242: The authentication endpoint fails to adequately validate user-supplied input before reflecting it ba The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser. Successful exploitation can enable an attacker to redirect the user's browser to a malicious we
nvd
CVE-2024-1440P4MEDIUMCVSS 6.1v3.1.0v3.2.0+1 more2025-06-02
CVE-2024-1440 [MEDIUM] CWE-601 CVE-2024-1440: An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site. By exploiting this vulnerability, an attacker may trick users in
nvd
CVE-2019-6513P4MEDIUMCVSS 5.4v2.6.02019-05-21
CVE-2019-6513 [MEDIUM] CWE-434 CVE-2019-6513: An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one.
nvd
CVE-2019-20436P4MEDIUMCVSS 6.1v2.6.02020-01-28
CVE-2019-20436 [MEDIUM] CWE-79 CVE-2019-20436: An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity S An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect's URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The
nvd
CVE-2019-20437P4MEDIUMCVSS 6.1v2.6.02020-01-28
CVE-2019-20437 [MEDIUM] CWE-79 CVE-2019-20437: An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity S An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. When a custom claim dialect with an XSS payload is configured in the identity provider basic claim configuration, that payload gets executed, if a user picks up that dialect's URI as the provisioning claim in the advanced claim configurati
nvd
CVE-2024-7096P4MEDIUMCVSS 5.4v2.0.0v2.1.0+11 more2025-05-30
CVE-2024-7096 [MEDIUM] CWE-863 CVE-2024-7096: A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw i A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: * SOAP admin services are accessible to the attacker. * The deployment includes an internally used attribute that
nvd
CVE-2023-6838P4MEDIUMCVSS 6.1v3.1.0v3.2.02023-12-15
CVE-2023-6838 [MEDIUM] CWE-79 CVE-2023-6838: Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endp Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests.
nvd
CVE-2024-5962P4MEDIUMCVSS 6.1v4.2.0v4.3.02025-05-22
CVE-2024-5962 [MEDIUM] CWE-79 CVE-2024-5962: A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoint of multip A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoint of multiple WSO2 products due to missing output encoding of user-supplied input. A malicious actor can exploit this vulnerability to inject arbitrary JavaScript into the authentication flow, potentially leading to UI modifications, redirections to malicious websi
nvd
CVE-2025-5770P4MEDIUMCVSS 6.1v4.2.0v4.3.0+2 more2025-11-05
CVE-2025-5770 [MEDIUM] CWE-79 CVE-2025-5770: A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multi A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks. Exploitation may result in redirec
nvd
CVE-2023-6835P4MEDIUMCVSS 5.3v2.2.0v2.5.0+1 more2023-12-15
CVE-2023-6835 [MEDIUM] CWE-20 CVE-2023-6835: Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validatio Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated.
nvd
CVE-2020-24706P4MEDIUMCVSS 6.1≤ 3.1.02020-08-27
CVE-2020-24706 [MEDIUM] CWE-79 CVE-2020-24706: An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.
nvd
CVE-2020-24704P4MEDIUMCVSS 6.1v2.2.02020-08-27
CVE-2020-24704 [MEDIUM] CWE-79 CVE-2020-24704: An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 a
nvd
CVE-2024-5848P4MEDIUMCVSS 6.1v3.1.0v3.2.0+5 more2025-02-27
CVE-2024-5848 [MEDIUM] CWE-79 CVE-2024-5848: A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to imprope A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper input validation. User-supplied data is directly included in server responses from vulnerable service endpoints without proper sanitization or encoding, allowing an attacker to inject malicious JavaScript. Successful exploitation could lead to UI mani
nvd
CVE-2025-10853P4MEDIUMCVSS 6.1v3.1.0v3.2.0+7 more2025-11-05
CVE-2025-10853 [MEDIUM] CWE-79 CVE-2025-10853: A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WS A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful exploitation could result in UI manipulation, redirection to
nvd
CVE-2024-4867P4MEDIUMCVSS 5.4≥ 3.2.0, < 3.2.0.408≥ 3.2.1, < 3.2.1.32+2 more2026-04-16
CVE-2024-4867 [MEDIUM] CWE-79 CVE-2024-4867: The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validat The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site scripting vulnerability, a malicious actor can cause the
nvd
CVE-2020-27885P4MEDIUMCVSS 6.1v3.1.02020-10-29
CVE-2020-27885 [MEDIUM] CWE-79 CVE-2020-27885: Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scrip Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s password and invalidate the session of the victim while the hacker maintains access.
nvd
CVE-2018-20736P4MEDIUMCVSS 5.4v2.6.02019-03-21
CVE-2018-20736 [MEDIUM] CWE-79 CVE-2018-20736: An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. A DOM-based XSS exists in the store par An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. A DOM-based XSS exists in the store part of the product.
nvd
CVE-2023-6839P4MEDIUMCVSS 5.3v3.0.0v3.1.0+2 more2023-12-15
CVE-2023-6839 [MEDIUM] CWE-209 CVE-2023-6839: Due to improper error handling, a REST API resource could expose a server side error containing an i Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response.
nvd
CVE-2023-31664P4MEDIUMCVSS 6.1fixed in 4.2.02023-05-23
CVE-2023-31664 [MEDIUM] CWE-79 CVE-2023-31664: A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter.
nvd
Wso2 Api Manager vulnerabilities | cvebase