8.4
CVE-2025-11093
- EPSS 0.15%
- Veröffentlicht 05.11.2025 18:31:17
- Zuletzt bearbeitet 04.12.2025 21:09:03
- Quelle ed10eef1-636d-4fbe-9993-6890df
- CVE-Watchlists
- Unerledigt
An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment. By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginDaten sind bereitgestellt durch National Vulnerability Database (NVD)
Wso2 ≫ Api Control Plane Version4.5.0 Update-
Wso2 ≫ Api Manager Version3.1.0
Wso2 ≫ Api Manager Version3.2.0
Wso2 ≫ Api Manager Version3.2.1
Wso2 ≫ Api Manager Version4.0.0
Wso2 ≫ Api Manager Version4.1.0 Update-
Wso2 ≫ Api Manager Version4.2.0 Update-
Wso2 ≫ Api Manager Version4.3.0 Update-
Wso2 ≫ Api Manager Version4.4.0 Update-
Wso2 ≫ Api Manager Version4.5.0 Update-
Wso2 ≫ Enterprise Integrator Version6.6.0
Wso2 ≫ Micro Integrator Version4.0.0
Wso2 ≫ Micro Integrator Version4.1.0
Wso2 ≫ Micro Integrator Version4.2.0
Wso2 ≫ Micro Integrator Version4.3.0
Wso2 ≫ Micro Integrator Version4.4.0
Wso2 ≫ Traffic Manager Version4.5.0
Wso2 ≫ Universal Gateway Version4.5.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.15% | 0.362 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| ed10eef1-636d-4fbe-9993-6890dfa878f8 | 8.4 | 1.7 | 6 |
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
|
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.