Wso2 Universal Gateway
Monthly
Persistent denial of service in multiple WSO2 products - including WSO2 API Manager, WSO2 Universal Gateway, WSO2 Traffic Manager, and WSO2 API Control Plane - allows an unauthenticated remote attacker to send malicious JSON payloads to the throttling event handling mechanism, crashing or corrupting API Gateway state so that legitimate API traffic can no longer be processed. Because the outage is persistent and requires manual intervention to restore service, and the CVSS scope is changed (S:C), a single request can take down the entire API Gateway tier. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, API Control Plane, Traffic Manager, Universal Gateway, Open Banking AM/IAM, and Identity Server as Key Manager - allows unauthenticated remote attackers to inject arbitrary script via unsanitized URL parameters. An attacker who tricks an authenticated user into clicking a crafted link can redirect the victim to a malicious site, tamper with rendered page content, or exfiltrate non-session browser data; partial mitigation is provided by httpOnly flags on session cookies, which block direct session token theft. No public exploit identified at time of analysis; WSO2 self-reported the issue and published advisory WSO2-2025-4343.
Role-based access control bypass in WSO2 API Manager 3.x allows authenticated users with the 'Internal/Everyone' role to invoke Gateway and Internal Service APIs without proper permission enforcement, enabling unauthorized operations on sensitive REST API endpoints. The vulnerability affects multiple WSO2 products including API Control Plane, Universal Gateway, and Traffic Manager. CVSS 6.3 (network-accessible, low complexity, requires valid user credentials) indicates moderate severity with clear lateral privilege escalation potential in multi-tenant environments.
HTTP response header injection in WSO2 Webhook API invocations allows unauthenticated remote attackers to inject or overwrite arbitrary HTTP response headers via unsanitized user-supplied input. Successful exploitation enables cache manipulation, security header alteration, cookie injection, and potential session hijacking. CVSS 5.3 (network-accessible, low complexity, no authentication required); no public exploit code or active exploitation confirmed at time of analysis.
Persistent denial of service in multiple WSO2 products - including WSO2 API Manager, WSO2 Universal Gateway, WSO2 Traffic Manager, and WSO2 API Control Plane - allows an unauthenticated remote attacker to send malicious JSON payloads to the throttling event handling mechanism, crashing or corrupting API Gateway state so that legitimate API traffic can no longer be processed. Because the outage is persistent and requires manual intervention to restore service, and the CVSS scope is changed (S:C), a single request can take down the entire API Gateway tier. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, API Control Plane, Traffic Manager, Universal Gateway, Open Banking AM/IAM, and Identity Server as Key Manager - allows unauthenticated remote attackers to inject arbitrary script via unsanitized URL parameters. An attacker who tricks an authenticated user into clicking a crafted link can redirect the victim to a malicious site, tamper with rendered page content, or exfiltrate non-session browser data; partial mitigation is provided by httpOnly flags on session cookies, which block direct session token theft. No public exploit identified at time of analysis; WSO2 self-reported the issue and published advisory WSO2-2025-4343.
Role-based access control bypass in WSO2 API Manager 3.x allows authenticated users with the 'Internal/Everyone' role to invoke Gateway and Internal Service APIs without proper permission enforcement, enabling unauthorized operations on sensitive REST API endpoints. The vulnerability affects multiple WSO2 products including API Control Plane, Universal Gateway, and Traffic Manager. CVSS 6.3 (network-accessible, low complexity, requires valid user credentials) indicates moderate severity with clear lateral privilege escalation potential in multi-tenant environments.
HTTP response header injection in WSO2 Webhook API invocations allows unauthenticated remote attackers to inject or overwrite arbitrary HTTP response headers via unsanitized user-supplied input. Successful exploitation enables cache manipulation, security header alteration, cookie injection, and potential session hijacking. CVSS 5.3 (network-accessible, low complexity, no authentication required); no public exploit code or active exploitation confirmed at time of analysis.