5.9
CVE-2025-5350
- EPSS 0.02%
- Veröffentlicht 24.10.2025 10:15:38
- Zuletzt bearbeitet 21.11.2025 14:33:52
- Quelle ed10eef1-636d-4fbe-9993-6890df
- CVE-Watchlists
- Unerledigt
SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user's browser context. By tricking an administrator into accessing a crafted link, an attacker could force the server to fetch malicious content and reflect it into the admin’s browser, leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. While session cookies are protected with the HttpOnly flag, the XSS still poses a significant security risk. Furthermore, SSRF can be used by a privileged user to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable from the affected product.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginDaten sind bereitgestellt durch National Vulnerability Database (NVD)
Wso2 ≫ Api Control Plane Version4.5.0 Update-
Wso2 ≫ Api Manager Version3.1.0
Wso2 ≫ Api Manager Version3.2.0
Wso2 ≫ Api Manager Version3.2.1
Wso2 ≫ Api Manager Version4.0.0
Wso2 ≫ Api Manager Version4.1.0 Update-
Wso2 ≫ Api Manager Version4.2.0 Update-
Wso2 ≫ Api Manager Version4.3.0 Update-
Wso2 ≫ Api Manager Version4.4.0 Update-
Wso2 ≫ Api Manager Version4.5.0 Update-
Wso2 ≫ Enterprise Integrator Version6.6.0
Wso2 ≫ Identity Server Version5.10.0
Wso2 ≫ Identity Server Version5.11.0
Wso2 ≫ Identity Server Version6.0.0 Update-
Wso2 ≫ Identity Server Version6.1.0 Update-
Wso2 ≫ Identity Server Version7.0.0 Update-
Wso2 ≫ Identity Server Version7.1.0 Update-
Wso2 ≫ Identity Server As Key Manager Version5.10.0
Wso2 ≫ Open Banking Am Version2.0.0
Wso2 ≫ Open Banking Iam Version2.0.0
Wso2 ≫ Traffic Manager Version4.5.0
Wso2 ≫ Universal Gateway Version4.5.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.02% | 0.042 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.8 | 1.7 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
|
| ed10eef1-636d-4fbe-9993-6890dfa878f8 | 5.9 | 1.7 | 3.7 |
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.