Wso2 Enterprise Integrator vulnerabilities
32 known vulnerabilities affecting wso2/enterprise_integrator.
Total CVEs
32
CISA KEV
1
actively exploited
Public exploits
6
Exploited in wild
3
Severity breakdown
CRITICAL2HIGH9MEDIUM21
Vulnerabilities
Page 1 of 2
CVE-2022-29464P1CRITICALCVSS 9.8KEVPoCRansomware≥ 6.2.0, ≤ 6.6.02022-04-18
CVE-2022-29464 [CRITICAL] CWE-22 CVE-2022-29464: Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attac
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0
nvd
CVE-2025-5605P1MEDIUMCVSS 5.3ExploitedPoCv6.6.02025-10-24
CVE-2025-5605 [MEDIUM] CWE-290 CVE-2025-5605: An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A
An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.
The known exposure from this issue is limited to memory statistics
nvd
CVE-2020-17453P2MEDIUMCVSS 6.1ExploitedPoC≤ 6.6.02021-04-05
CVE-2020-17453 [MEDIUM] CWE-79 CVE-2020-17453: WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
nvd
CVE-2022-29548P3MEDIUMCVSS 6.1PoCv6.2.0v6.3.0+3 more2022-04-21
CVE-2022-29548 [MEDIUM] CWE-79 CVE-2022-29548: A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Ma
A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0,
nvd
CVE-2025-10713P3CRITICALCVSS 9.1v6.6.02025-11-05
CVE-2025-10713 [CRITICAL] CWE-611 CVE-2025-10713: An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configur
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.
A successful attack could enable a remote, unauthenticated attacker to read sensitive files from t
nvd
CVE-2025-10907P3HIGHCVSS 7.2v6.6.02025-11-05
CVE-2025-10907 [HIGH] CWE-434 CVE-2025-10907: An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validati
An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment.
Successful exploitation may lead to remote code exe
nvd
CVE-2025-3125P3HIGHCVSS 7.2v6.6.02025-11-05
CVE-2025-3125 [HIGH] CWE-434 CVE-2025-3125: An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input valida
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE).
This functionality is
nvd
CVE-2025-1862P3HIGHCVSS 7.2v6.6.02025-09-26
CVE-2025-1862 [HIGH] CWE-434 CVE-2025-1862: An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation o
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL uploader SOAP service endpoint. A malicious actor with administrative privileges can upload arbitrary files to a user-controlled location on the server.
By leveraging this vulnerability, an attacker can upload a spe
nvd
CVE-2025-11093P3HIGHCVSS 7.2≥ 6.6.0, < 6.6.0.2242025-11-05
CVE-2025-11093 [HIGH] CWE-94 CVE-2025-11093: An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restr
An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment.
By default, access to these scripting engines is limited to administrators
nvd
CVE-2022-39810P3MEDIUMCVSS 6.1v6.4.02022-09-09
CVE-2022-39810 [MEDIUM] CWE-79 CVE-2022-39810: An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS)
An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/ndatasource/validateconnection/ajaxprocessor.jsp via the driver parameter. Session hijacking or similar attacks would not be possible.
nvd
CVE-2025-5350P4MEDIUMCVSS 4.8PoCv6.6.02025-10-24
CVE-2025-5350 [MEDIUM] CWE-79 CVE-2025-5350: SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It
SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response,
nvd
CVE-2017-14651P4MEDIUMCVSS 4.8PoCv6.1.12017-09-21
CVE-2017-14651 [MEDIUM] CWE-79 CVE-2017-14651: WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via th
WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter.
nvd
CVE-2025-6670P3HIGHCVSS 8.8v6.6.02025-11-18
CVE-2025-6670 [HIGH] CWE-352 CVE-2025-6670: A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of
A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows co
nvd
CVE-2020-24703P3HIGHCVSS 8.8≤ 6.6.02020-08-27
CVE-2020-24703 [HIGH] CVE-2020-24703: An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie m
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.
nvd
CVE-2025-9804P3MEDIUMCVSS 6.5v6.2.0v6.3.02025-10-16
CVE-2025-9804 [MEDIUM] CWE-284 CVE-2025-9804: An improper access control vulnerability exists in multiple WSO2 products due to insufficient permis
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.
This vulnerability affects only internal admini
nvd
CVE-2023-6836P3HIGHCVSS 7.5≤ 6.6.02023-12-15
CVE-2023-6836 [HIGH] CWE-611 CVE-2023-6836: Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack
Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.
nvd
CVE-2020-11885P3HIGHCVSS 7.2≤ 6.6.02020-04-17
CVE-2020-11885 [HIGH] CWE-611 CVE-2020-11885: WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console a
WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file.
nvd
CVE-2020-12719P3HIGHCVSS 7.2≤ 6.4.02020-05-08
CVE-2020-12719 [HIGH] CWE-611 CVE-2020-12719: XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and ea
XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier.
nvd
CVE-2020-24591P4MEDIUMCVSS 6.5v6.2.0v6.3.02020-08-21
CVE-2020-24591 [MEDIUM] CWE-611 CVE-2020-24591: The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. Thi
The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.
nvd
CVE-2025-9955P4MEDIUMCVSS 5.7v6.0.0v6.1.0+6 more2025-10-16
CVE-2025-9955 [MEDIUM] CWE-863 CVE-2025-9955: An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insuffi
An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details that are not intended to be exposed at that privilege level
nvd
1 / 2Next →