cbcvebase.

Wso2 Api Control Plane vulnerabilities

19 known vulnerabilities affecting wso2/wso2_api_control_plane.

Total CVEs
19
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL4HIGH8MEDIUM7

Vulnerabilities

Page 1 of 1
CVE-2025-5605P1MEDIUMCVSS 5.3ExploitedPoC≥ 4.5.0, < 4.5.0.112025-10-24
CVE-2025-5605 [MEDIUM] CWE-290 CVE-2025-5605: An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure. The known exposure from this issue is limited to memory statistics
nvd
CVE-2025-9312P2CRITICALCVSS 9.8≥ 4.5.0, < 4.5.0.222025-11-18
CVE-2025-9312 [CRITICAL] CWE-306 CVE-2025-9312: A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation us A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the affected components may permit unauthenticated requests even when mTLS is
nvd
CVE-2025-10611P2CRITICALCVSS 9.8≥ 4.5.0, < 4.5.0.292025-10-16
CVE-2025-10611 [CRITICAL] CWE-863 CVE-2025-10611: Due to an insufficient access control implementation in multiple WSO2 Products, authentication and a Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthentic
nvd
CVE-2025-9152P2CRITICALCVSS 9.8≥ 4.5.0, < 4.5.0.202025-10-16
CVE-2025-9152 [CRITICAL] CWE-306 CVE-2025-9152: An improper privilege management vulnerability exists in WSO2 API Manager due to missing authenticat An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges, potentially leading to administrative access and the abil
nvd
CVE-2025-10713P3CRITICALCVSS 9.1≥ 4.5.0, < 4.5.0.272025-11-05
CVE-2025-10713 [CRITICAL] CWE-611 CVE-2025-10713: An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configur An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities. A successful attack could enable a remote, unauthenticated attacker to read sensitive files from t
nvd
CVE-2025-8325P3HIGHCVSS 8.8≥ 4.5.0, < 4.5.0.182026-05-11
CVE-2025-8325 [HIGH] CWE-281 CVE-2025-8325: The software fails to enforce role-based access controls for certain Gateway API invocations. Users The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions. A malicious actor with a valid user account on
nvd
CVE-2025-10907P3HIGHCVSS 7.2≥ 4.5.0, < 4.5.0.292025-11-05
CVE-2025-10907 [HIGH] CWE-434 CVE-2025-10907: An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validati An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment. Successful exploitation may lead to remote code exe
nvd
CVE-2025-3125P3HIGHCVSS 7.2≥ 4.5.0, < 4.5.0.2≥ 4.6.0, < 4.6.0.32025-11-05
CVE-2025-3125 [HIGH] CWE-434 CVE-2025-3125: An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input valida An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE). This functionality is
nvd
CVE-2025-13590P3HIGHCVSS 7.2≥ 4.5.0, < 4.5.0.39≥ 4.6.0, < 4.6.0.32026-02-19
CVE-2025-13590 [HIGH] CWE-434 CVE-2025-13590: A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled l A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
nvd
CVE-2025-5717P3HIGHCVSS 7.2≥ 4.5.0, < 4.5.0.62025-09-23
CVE-2025-5717 [HIGH] CWE-94 CVE-2025-5717: An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to i An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution plan containing malicious Java code, resulting in arbitrary code execution on
nvd
CVE-2025-11093P3HIGHCVSS 7.2≥ 4.5.0, < 4.5.0.292025-11-05
CVE-2025-11093 [HIGH] CWE-94 CVE-2025-11093: An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restr An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment. By default, access to these scripting engines is limited to administrators
nvd
CVE-2025-5350P4MEDIUMCVSS 4.8PoC≥ 4.5.0, < 4.5.0.72025-10-24
CVE-2025-5350 [MEDIUM] CWE-79 CVE-2025-5350: SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response,
nvd
CVE-2025-6670P3HIGHCVSS 8.8≥ 4.5.0, < 4.5.0.36≥ 4.6.0, < 4.6.0.12025-11-18
CVE-2025-6670 [HIGH] CWE-352 CVE-2025-6670: A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows co
nvd
CVE-2025-8154P3HIGHCVSS 7.5≥ 4.5.0, < 4.5.0.212026-05-11
CVE-2025-8154 [HIGH] CWE-74 CVE-2025-8154: In Webhook API invocations, the component accepts user-supplied input for HTTP request headers witho In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses. By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, inc
nvd
CVE-2025-9804P3MEDIUMCVSS 6.5≥ 4.5.0, < 4.5.0.242025-10-16
CVE-2025-9804 [MEDIUM] CWE-284 CVE-2025-9804: An improper access control vulnerability exists in multiple WSO2 products due to insufficient permis An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal admini
nvd
CVE-2025-5770P4MEDIUMCVSS 6.1≥ 4.5.0, < 4.5.0.112025-11-05
CVE-2025-5770 [MEDIUM] CWE-79 CVE-2025-5770: A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multi A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks. Exploitation may result in redirec
nvd
CVE-2025-10853P4MEDIUMCVSS 6.1≥ 4.5.0, < 4.5.0.272025-11-05
CVE-2025-10853 [MEDIUM] CWE-79 CVE-2025-10853: A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WS A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful exploitation could result in UI manipulation, redirection to
nvd
CVE-2024-8008P4MEDIUMCVSS 5.2≥ 4.5.0, < 4.5.0.172025-06-02
CVE-2024-8008 [MEDIUM] CWE-79 CVE-2024-8008: A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insuffi A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the v
nvd
CVE-2025-4760P4MEDIUMCVSS 4.8≥ 4.5.0, < 4.5.0.82025-09-23
CVE-2025-4760 [MEDIUM] CWE-79 CVE-2025-4760: An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products du An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed b
nvd