CVE-2024-6429 | THREATINT

Description

A content spoofing vulnerability exists in multiple WSO2 products due to improper error message handling. Under certain conditions, error messages are passed through URL parameters without validation, allowing malicious actors to inject arbitrary content into the UI. By exploiting this vulnerability, attackers can manipulate browser-displayed error messages, enabling social engineering attacks through deceptive or misleading content.

PUBLISHED Reserved 2024-07-01 | Published 2025-09-23 | Updated 2025-09-25 | Assigner WSO2

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Product status

Default status

unaffected

5.10.0 (custom) before 5.10.0.338

affected

Default status

unaffected

Any version before 3.2.0

unknown

3.2.0 (custom) before 3.2.0.409

affected

3.2.1 (custom) before 3.2.1.33

affected

4.0.0 (custom) before 4.0.0.327

affected

4.1.0 (custom) before 4.1.0.188

affected

4.2.0 (custom) before 4.2.0.128

affected

4.3.0 (custom) before 4.3.0.38

affected

4.4.0 (custom) before 4.4.0.4

affected

Default status

unaffected

Any version before 5.10.0

unknown

5.10.0 (custom) before 5.10.0.314

affected

5.11.0 (custom) before 5.11.0.359

affected

6.0.0 (custom) before 6.0.0.203

affected

6.1.0 (custom) before 6.1.0.176

affected

7.0.0 (custom) before 7.0.0.48

affected

References

security.docs.wso2.com/...ty-advisories/2025/WSO2-2024-3490/ vendor-advisory

cve.org (CVE-2024-6429)

nvd.nist.gov (CVE-2024-6429)

Download JSON