cbcvebase.

Wso2 Identity Server vulnerabilities

67 known vulnerabilities affecting wso2/identity_server.

Total CVEs
67
CISA KEV
1
actively exploited
Public exploits
10
Exploited in wild
4
Severity breakdown
CRITICAL7HIGH16MEDIUM43LOW1

Vulnerabilities

Page 4 of 4
CVE-2024-6429P4MEDIUMCVSS 4.3v5.10.0v5.11.0+3 more2025-09-23
CVE-2024-6429 [MEDIUM] CWE-451 CVE-2024-6429: A content spoofing vulnerability exists in multiple WSO2 products due to improper error message hand A content spoofing vulnerability exists in multiple WSO2 products due to improper error message handling. Under certain conditions, error messages are passed through URL parameters without validation, allowing malicious actors to inject arbitrary content into the UI. By exploiting this vulnerability, attackers can manipulate browser-displayed error m
nvd
CVE-2024-0391P4MEDIUMCVSS 4.3≥ 5.10.0, < 5.10.0.379≥ 5.11.0, < 5.11.0.426+3 more2026-05-11
CVE-2024-0391 [MEDIUM] CWE-204 CVE-2024-0391: The check user account lock states feature within the email OTP flow fails to validate user input, a The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns o
nvd
CVE-2025-0672P4LOWCVSS 3.8v5.10.0v5.11.02025-09-23
CVE-2025-0672 [LOW] CWE-287 CVE-2025-0672: An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may associate the new account with the previously registered FIDO
nvd
CVE-2019-20443P4MEDIUMCVSS 4.8v5.7.0v5.8.02020-01-28
CVE-2019-20443 [MEDIUM] CWE-79 CVE-2019-20443: An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in mediaType has been identified in the registry UI.
nvd
CVE-2019-20442P4MEDIUMCVSS 4.8v5.7.0v5.8.02020-01-28
CVE-2019-20442 [MEDIUM] CWE-79 CVE-2019-20442: An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in roleToAuthorize has been identified in the registry UI.
nvd
CVE-2023-6911P4MEDIUMCVSS 4.8v5.4.0v5.4.1+6 more2023-12-18
CVE-2023-6911 [MEDIUM] CWE-79 CVE-2023-6911: Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console.
nvd
CVE-2024-3509P4MEDIUMCVSS 4.3v5.10.0v5.11.0+3 more2025-06-02
CVE-2024-3509 [MEDIUM] CWE-79 CVE-2024-3509: A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient input validation in the Rich Text Editor within the registry section. To exploit this vulnerability, a malicious actor must have a valid user account with administrative access to the Management Console. If successful, the act
nvd
Wso2 Identity Server vulnerabilities | cvebase