We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-3509

Stored Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products via Rich Text Editor



Description

A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient input validation in the Rich Text Editor within the registry section. To exploit this vulnerability, a malicious actor must have a valid user account with administrative access to the Management Console. If successful, the actor could inject persistent JavaScript payloads, enabling the theft of user data or execution of unauthorized actions on behalf of other users. While this issue enables persistent client-side script execution, session-related cookies remain protected with the httpOnly flag, preventing session hijacking.

Reserved 2024-04-09 | Published 2025-06-02 | Updated 2025-06-02 | Assigner WSO2


MEDIUM: 4.3CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status
unaffected

Any version before 6.6.0
unknown

6.6.0 before 6.6.0.202
affected

Default status
unaffected

Any version before 3.1.0
unknown

3.1.0 before 3.1.0.275
affected

3.2.0 before 3.2.0.392
affected

3.2.1 before 3.2.1.19
affected

4.0.0 before 4.0.0.308
affected

4.1.0 before 4.1.0.171
affected

4.2.0 before 4.2.0.107
affected

4.3.0 before 4.3.0.21
affected

Default status
unaffected

Any version before 2.0.0
unknown

2.0.0 before 2.0.0.325
affected

Default status
unaffected

Any version before 2.0.0
unknown

2.0.0 before 2.0.0.345
affected

Default status
unaffected

Any version before 5.10.0
unknown

5.10.0 before 5.10.0.292
affected

Default status
unaffected

Any version before 5.10.0
unknown

5.10.0 before 5.10.0.296
affected

5.11.0 before 5.11.0.333
affected

6.0.0 before 6.0.0.181
affected

6.1.0 before 6.1.0.142
affected

7.0.0 before 7.0.0.9
affected

Default status
unknown

4.7.24 before 4.7.24.6
affected

4.7.32 before 4.7.32.10
affected

4.7.33 before 4.7.33.8
affected

4.7.35 before 4.7.35.8
affected

4.7.39 before 4.7.39.6
affected

4.7.51 before 4.7.51.2
affected

4.8.3 before 4.8.3.7
affected

4.8.9 before 4.8.9.3
affected

4.8.12 before 4.8.12.2
affected

4.8.13 before 4.8.13.4
affected

4.8.24 before 4.8.24.1
affected

4.8.32 before 4.8.32.2
affected

4.8.35
unaffected

References

security.docs.wso2.com/...ity-advisories/2024/WSO2-2024-2701 vendor-advisory

cve.org (CVE-2024-3509)

nvd.nist.gov (CVE-2024-3509)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2024-3509

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.