8.4
CVE-2025-11093
- EPSS 0.16%
- Veröffentlicht 05.11.2025 18:31:17
- Zuletzt bearbeitet 09.01.2026 02:33:37
- Quelle ed10eef1-636d-4fbe-9993-6890df
- CVE-Watchlists
- Unerledigt
An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment. By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginDaten sind bereitgestellt durch National Vulnerability Database (NVD)
Wso2 ≫ Api Control Plane Version >= 4.5.0 < 4.5.0.29
Wso2 ≫ Api Manager Version >= 3.1.0 < 3.1.0.345
Wso2 ≫ Api Manager Version >= 3.2.0 < 3.2.0.446
Wso2 ≫ Api Manager Version >= 3.2.1 < 3.2.1.66
Wso2 ≫ Api Manager Version >= 4.1.0 < 4.1.0.228
Wso2 ≫ Api Manager Version >= 4.2.0 < 4.2.0.169
Wso2 ≫ Api Manager Version >= 4.3.0 < 4.3.0.81
Wso2 ≫ Api Manager Version >= 4.4.0 < 4.4.0.45
Wso2 ≫ Api Manager Version >= 4.5.0 < 4.5.0.28
Wso2 ≫ Enterprise Integrator Version >= 6.6.0 < 6.6.0.224
Wso2 ≫ Micro Integrator Version >= 4.0.0 < 4.0.0.145
Wso2 ≫ Micro Integrator Version >= 4.1.0 < 4.1.0.147
Wso2 ≫ Micro Integrator Version >= 4.2.0 < 4.2.0.141
Wso2 ≫ Micro Integrator Version >= 4.3.0 < 4.3.0.42
Wso2 ≫ Micro Integrator Version >= 4.4.0 < 4.4.0.27
Wso2 ≫ Traffic Manager Version >= 4.5.0 < 4.5.0.27
Wso2 ≫ Universal Gateway Version >= 4.5.0 < 4.5.0.27
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.16% | 0.37 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| ed10eef1-636d-4fbe-9993-6890dfa878f8 | 8.4 | 1.7 | 6 |
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
|
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.