Skip to main content

Wso2 Api Manager EUVDEUVD-2024-55545

| CVE-2024-10242 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-16 WSO2 GHSA-6f87-4ph2-cp38
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Apr 23, 2026 - 15:35 nvd
Patch available
Patch available
Apr 16, 2026 - 11:01 EUVD
EUVD ID Assigned
Apr 16, 2026 - 10:15 euvd
EUVD-2024-55545
CVE Published
Apr 16, 2026 - 09:45 nvd
MEDIUM 6.1

DescriptionCVE.org

The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser.

Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.

AnalysisAI

The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser. Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking. Affected products include: Wso2 Wso2 Api Manager.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2026-2053 CRITICAL
10.0 Jun 26

Server-side request forgery in WSO2 API Manager lets unauthenticated remote attackers coerce the gateway into making ser

CVE-2026-4249 HIGH
8.6 Jul 06

Persistent denial of service in multiple WSO2 products - including WSO2 API Manager, WSO2 Universal Gateway, WSO2 Traffi

CVE-2024-2374 HIGH
7.5 Apr 16

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the

CVE-2025-8325 MEDIUM
6.3 May 11

Role-based access control bypass in WSO2 API Manager 3.x allows authenticated users with the 'Internal/Everyone' role to

CVE-2025-8591 MEDIUM
6.1 Jul 06

Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, AP

CVE-2025-6024 MEDIUM
6.1 Apr 16

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script

CVE-2024-4867 MEDIUM
5.4 Apr 16

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or p

CVE-2024-1248 MEDIUM
5.3 Jul 04

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segrega

CVE-2025-8154 MEDIUM
5.3 May 11

HTTP response header injection in WSO2 Webhook API invocations allows unauthenticated remote attackers to inject or over

CVE-2025-13475 HIGH
7.3 Jul 04

Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS applicati

CVE-2024-8010 LOW
3.5 Apr 16

The component accepts XML input through the publisher without disabling external entity resolution. Rated low severity (

Share

EUVD-2024-55545 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy