Home

Description

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag.

PUBLISHED Reserved 2024-05-14 | Published 2026-04-16 | Updated 2026-04-16 | Assigner WSO2




MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

Any version before 3.2.0
unknown

3.2.0 (custom) before 3.2.0.408
affected

3.2.1 (custom) before 3.2.1.32
affected

4.0.0 (custom) before 4.0.0.293
affected

4.1.0 (custom) before 4.1.0.187
affected

References

security.docs.wso2.com/...ty-advisories/2026/WSO2-2024-3391/ vendor-advisory

cve.org (CVE-2024-4867)

nvd.nist.gov (CVE-2024-4867)

Download JSON