cbcvebase.

Wso2 Api Manager vulnerabilities

79 known vulnerabilities affecting wso2/api_manager.

Total CVEs
79
CISA KEV
1
actively exploited
Public exploits
8
Exploited in wild
5
Severity breakdown
CRITICAL13HIGH15MEDIUM51

Vulnerabilities

Page 4 of 4
CVE-2020-17454P4MEDIUMCVSS 6.1≤ 3.1.02020-10-21
CVE-2020-17454 [MEDIUM] CWE-79 CVE-2020-17454: WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal box appears that writes an error message concatenated to the in
nvd
CVE-2021-36760P4MEDIUMCVSS 6.1v3.0.0v3.1.0+2 more2021-12-07
CVE-2021-36760 [MEDIUM] CWE-79 CVE-2021-36760: In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perfo In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open re
nvd
CVE-2018-20737P4MEDIUMCVSS 5.4v2.6.02019-03-21
CVE-2018-20737 [MEDIUM] CWE-79 CVE-2018-20737: An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part of the product.
nvd
CVE-2024-8008P4MEDIUMCVSS 5.2v3.1.0v3.2.0+5 more2025-06-02
CVE-2024-8008 [MEDIUM] CWE-79 CVE-2024-8008: A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insuffi A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the v
nvd
CVE-2019-15108P4MEDIUMCVSS 4.8≤ 2.6.02019-08-16
CVE-2019-15108 [MEDIUM] CWE-79 CVE-2019-15108: An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS via a crafted filename to the file-upload feature of the event simulator component.
nvd
CVE-2025-4760P4MEDIUMCVSS 4.8v3.2.0v3.2.1+5 more2025-09-23
CVE-2025-4760 [MEDIUM] CWE-79 CVE-2025-4760: An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products du An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed b
nvd
CVE-2024-3511P4MEDIUMCVSS 4.3v3.2.0v3.2.1+4 more2025-06-23
CVE-2024-3511 [MEDIUM] CWE-863 CVE-2024-3511: An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized a An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization. Successful exploi
nvd
CVE-2019-20435P4MEDIUMCVSS 4.8v2.6.02020-01-28
CVE-2019-20435 [MEDIUM] CWE-79 CVE-2019-20435: An issue was discovered in WSO2 API Manager 2.6.0. A reflected XSS attack could be performed in the An issue was discovered in WSO2 API Manager 2.6.0. A reflected XSS attack could be performed in the inline API documentation editor page of the API Publisher by sending an HTTP GET request with a harmful docName request parameter.
nvd
CVE-2024-6429P4MEDIUMCVSS 4.3v3.2.0v3.2.1+5 more2025-09-23
CVE-2024-6429 [MEDIUM] CWE-451 CVE-2024-6429: A content spoofing vulnerability exists in multiple WSO2 products due to improper error message hand A content spoofing vulnerability exists in multiple WSO2 products due to improper error message handling. Under certain conditions, error messages are passed through URL parameters without validation, allowing malicious actors to inject arbitrary content into the UI. By exploiting this vulnerability, attackers can manipulate browser-displayed error m
nvd
CVE-2019-20441P4MEDIUMCVSS 4.8v2.6.02020-01-28
CVE-2019-20441 [MEDIUM] CWE-79 CVE-2019-20441: An issue was discovered in WSO2 API Manager 2.6.0. A potential Stored Cross-Site Scripting (XSS) vul An issue was discovered in WSO2 API Manager 2.6.0. A potential Stored Cross-Site Scripting (XSS) vulnerability has been identified in the 'implement phase' of the API Publisher.
nvd
CVE-2019-20443P4MEDIUMCVSS 4.8v2.6.02020-01-28
CVE-2019-20443 [MEDIUM] CWE-79 CVE-2019-20443: An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in mediaType has been identified in the registry UI.
nvd
CVE-2019-20442P4MEDIUMCVSS 4.8v2.6.02020-01-28
CVE-2019-20442 [MEDIUM] CWE-79 CVE-2019-20442: An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in roleToAuthorize has been identified in the registry UI.
nvd
CVE-2023-6911P4MEDIUMCVSS 4.8v2.2.0v2.5.0+4 more2023-12-18
CVE-2023-6911 [MEDIUM] CWE-79 CVE-2023-6911: Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console.
nvd
CVE-2019-20438P4MEDIUMCVSS 4.8v2.6.02020-01-28
CVE-2019-20438 [MEDIUM] CWE-79 CVE-2019-20438: An issue was discovered in WSO2 API Manager 2.6.0. A potential stored Cross-Site Scripting (XSS) vul An issue was discovered in WSO2 API Manager 2.6.0. A potential stored Cross-Site Scripting (XSS) vulnerability has been identified in the inline API documentation editor page of the API Publisher.
nvd
CVE-2019-6512P4MEDIUMCVSS 4.1v2.6.02019-05-14
CVE-2019-6512 [MEDIUM] CWE-918 CVE-2019-6512: An issue was discovered in WSO2 API Manager 2.6.0. It is possible to force the application to perfor An issue was discovered in WSO2 API Manager 2.6.0. It is possible to force the application to perform requests to the internal workstation (SSRF port-scanning), other adjacent workstations (SSRF network scanning), or to enumerate files because of the existence of the file:// wrapper.
nvd
CVE-2019-20434P4MEDIUMCVSS 4.8v2.6.02020-01-28
CVE-2019-20434 [MEDIUM] CWE-79 CVE-2019-20434: An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Datasource creation page of the Management Console.
nvd
CVE-2019-20439P4MEDIUMCVSS 4.8v2.6.02020-01-28
CVE-2019-20439 [MEDIUM] CWE-79 CVE-2019-20439: An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in defining a scope in the "manage the API" page of the API Publisher.
nvd
CVE-2019-20440P4MEDIUMCVSS 4.8v2.6.02020-01-28
CVE-2019-20440 [MEDIUM] CWE-79 CVE-2019-20440: An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the update API documentation feature of the API Publisher.
nvd
CVE-2024-3509P4MEDIUMCVSS 4.3v3.2.0v3.2.1+4 more2025-06-02
CVE-2024-3509 [MEDIUM] CWE-79 CVE-2024-3509: A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient input validation in the Rich Text Editor within the registry section. To exploit this vulnerability, a malicious actor must have a valid user account with administrative access to the Management Console. If successful, the act
nvd
Wso2 Api Manager vulnerabilities | cvebase