Skip to main content

Wso2 Carbon Api Management Implementation

2 CVEs product

Monthly

CVE-2025-8325 MEDIUM PATCH This Month

Role-based access control bypass in WSO2 API Manager 3.x allows authenticated users with the 'Internal/Everyone' role to invoke Gateway and Internal Service APIs without proper permission enforcement, enabling unauthorized operations on sensitive REST API endpoints. The vulnerability affects multiple WSO2 products including API Control Plane, Universal Gateway, and Traffic Manager. CVSS 6.3 (network-accessible, low complexity, requires valid user credentials) indicates moderate severity with clear lateral privilege escalation potential in multi-tenant environments.

Information Disclosure Wso2 Api Control Plane Wso2 Universal Gateway Wso2 Traffic Manager Wso2 Api Manager +2
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-8154 MEDIUM PATCH This Month

HTTP response header injection in WSO2 Webhook API invocations allows unauthenticated remote attackers to inject or overwrite arbitrary HTTP response headers via unsanitized user-supplied input. Successful exploitation enables cache manipulation, security header alteration, cookie injection, and potential session hijacking. CVSS 5.3 (network-accessible, low complexity, no authentication required); no public exploit code or active exploitation confirmed at time of analysis.

Information Disclosure Wso2 Api Manager Wso2 Universal Gateway Wso2 Traffic Manager Wso2 Api Control Plane +2
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Role-based access control bypass in WSO2 API Manager 3.x allows authenticated users with the 'Internal/Everyone' role to invoke Gateway and Internal Service APIs without proper permission enforcement, enabling unauthorized operations on sensitive REST API endpoints. The vulnerability affects multiple WSO2 products including API Control Plane, Universal Gateway, and Traffic Manager. CVSS 6.3 (network-accessible, low complexity, requires valid user credentials) indicates moderate severity with clear lateral privilege escalation potential in multi-tenant environments.

Information Disclosure Wso2 Api Control Plane Wso2 Universal Gateway +4
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

HTTP response header injection in WSO2 Webhook API invocations allows unauthenticated remote attackers to inject or overwrite arbitrary HTTP response headers via unsanitized user-supplied input. Successful exploitation enables cache manipulation, security header alteration, cookie injection, and potential session hijacking. CVSS 5.3 (network-accessible, low complexity, no authentication required); no public exploit code or active exploitation confirmed at time of analysis.

Information Disclosure Wso2 Api Manager Wso2 Universal Gateway +4
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy