Wso2

Identity Server As Key Manager

32 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
4.3

CVE-2024-7097

  • EPSS 8.71%
  • Published 30.05.2025 15:04:09
  • Last modified 06.10.2025 13:51:05

An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious act...

5.4

CVE-2024-7096

  • EPSS 0.02%
  • Published 30.05.2025 14:54:32
  • Last modified 06.10.2025 13:58:40

A privilege escalation vulnerability exists in multiple [Vendor Name] products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: ...

9.8

CVE-2024-6914

  • EPSS 0.06%
  • Published 22.05.2025 18:26:15
  • Last modified 06.10.2025 13:56:53

An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, lea...

4.8

CVE-2023-6911

  • EPSS 0.35%
  • Published 18.12.2023 09:15:05
  • Last modified 21.11.2024 08:44:49

Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console....

6.1

CVE-2023-6838

  • EPSS 0.59%
  • Published 15.12.2023 10:15:10
  • Last modified 21.11.2024 08:44:39

Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests.

8.2

CVE-2023-6837

  • EPSS 0.32%
  • Published 15.12.2023 10:15:09
  • Last modified 05.06.2025 09:15:21

Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met: * An IDP configured for feder...

7.5

CVE-2023-6836

  • EPSS 0.17%
  • Published 15.12.2023 10:15:09
  • Last modified 21.11.2024 08:44:38

Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.

9.1

CVE-2021-42646

  • EPSS 1.27%
  • Published 11.05.2022 18:15:23
  • Last modified 21.11.2024 06:27:54

XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Se...

6.1

CVE-2022-29548

Exploit
  • EPSS 79.28%
  • Published 21.04.2022 02:15:06
  • Last modified 21.11.2024 06:59:18

A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Serve...

10

CVE-2022-29464

Warning Exploit
  • EPSS 94.43%
  • Published 18.04.2022 22:15:09
  • Last modified 03.04.2025 18:54:31

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../....