Skip to main content

Wso2 Identity Server As Key Manager

4 CVEs product

Monthly

CVE-2025-8591 MEDIUM PATCH This Month

Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, API Control Plane, Traffic Manager, Universal Gateway, Open Banking AM/IAM, and Identity Server as Key Manager - allows unauthenticated remote attackers to inject arbitrary script via unsanitized URL parameters. An attacker who tricks an authenticated user into clicking a crafted link can redirect the victim to a malicious site, tamper with rendered page content, or exfiltrate non-session browser data; partial mitigation is provided by httpOnly flags on session cookies, which block direct session token theft. No public exploit identified at time of analysis; WSO2 self-reported the issue and published advisory WSO2-2025-4343.

XSS Wso2 Identity Server Wso2 Api Manager Wso2 Api Control Plane Wso2 Traffic Manager +4
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-1248 MEDIUM This Month

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Wso2 Api Manager Wso2 Identity Server Wso2 Identity Server As Key Manager Wso2 Open Banking Am +1
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2024-0391 MEDIUM PATCH This Month

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Wso2 Identity Server Wso2 Open Banking Iam Wso2 Identity Server As Key Manager Email Otp Authenticator +1
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-2374 HIGH PATCH This Week

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Denial Of Service Wso2 Api Manager Wso2 Identity Server Wso2 Open Banking Am +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, API Control Plane, Traffic Manager, Universal Gateway, Open Banking AM/IAM, and Identity Server as Key Manager - allows unauthenticated remote attackers to inject arbitrary script via unsanitized URL parameters. An attacker who tricks an authenticated user into clicking a crafted link can redirect the victim to a malicious site, tamper with rendered page content, or exfiltrate non-session browser data; partial mitigation is provided by httpOnly flags on session cookies, which block direct session token theft. No public exploit identified at time of analysis; WSO2 self-reported the issue and published advisory WSO2-2025-4343.

XSS Wso2 Identity Server Wso2 Api Manager +6
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Wso2 Api Manager Wso2 Identity Server +3
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Wso2 Identity Server Wso2 Open Banking Iam +3
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Denial Of Service Wso2 Api Manager +4
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy