Wso2

Identity Server

59 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.6

CVE-2024-2321

  • EPSS 0.13%
  • Veröffentlicht 27.02.2025 05:15:13
  • Zuletzt bearbeitet 03.10.2025 16:29:15

An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the expected access token. Due to improper authorization checks and token mapping, session coo...

4.8

CVE-2023-6911

  • EPSS 0.35%
  • Veröffentlicht 18.12.2023 09:15:05
  • Zuletzt bearbeitet 21.11.2024 08:44:49

Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console....

6.1

CVE-2023-6838

  • EPSS 0.59%
  • Veröffentlicht 15.12.2023 10:15:10
  • Zuletzt bearbeitet 21.11.2024 08:44:39

Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests.

8.2

CVE-2023-6837

  • EPSS 0.32%
  • Veröffentlicht 15.12.2023 10:15:09
  • Zuletzt bearbeitet 05.06.2025 09:15:21

Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met: * An IDP configured for feder...

7.5

CVE-2023-6836

  • EPSS 0.17%
  • Veröffentlicht 15.12.2023 10:15:09
  • Zuletzt bearbeitet 21.11.2024 08:44:38

Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.

9.1

CVE-2021-42646

  • EPSS 1.34%
  • Veröffentlicht 11.05.2022 18:15:23
  • Zuletzt bearbeitet 21.11.2024 06:27:54

XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Se...

6.1

CVE-2022-29548

Exploit
  • EPSS 64.56%
  • Veröffentlicht 21.04.2022 02:15:06
  • Zuletzt bearbeitet 21.11.2024 06:59:18

A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Serve...

10

CVE-2022-29464

Warnung Exploit
  • EPSS 94.43%
  • Veröffentlicht 18.04.2022 22:15:09
  • Zuletzt bearbeitet 07.11.2025 19:01:08

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../....

6.1

CVE-2021-36760

  • EPSS 0.67%
  • Veröffentlicht 07.12.2021 21:15:08
  • Zuletzt bearbeitet 21.11.2024 06:14:02

In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset...

6.1

CVE-2020-17453

Exploit
  • EPSS 60.65%
  • Veröffentlicht 05.04.2021 22:15:12
  • Zuletzt bearbeitet 21.11.2024 05:08:08

WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.