We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-7074

Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Service Leading to Remote Code Execution



Description

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server. By leveraging this vulnerability, an attacker could upload a specially crafted payload, potentially achieving remote code execution (RCE) on the server. Exploitation requires valid admin credentials, limiting its impact to authorized but potentially malicious users.

Reserved 2024-07-24 | Published 2025-06-02 | Updated 2025-06-02 | Assigner WSO2


MEDIUM: 6.8CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-434 Unrestricted Upload of File with Dangerous Type

Product status

Default status
unaffected

Any version before 6.0.0
unknown

6.0.0 before 6.0.0.21
affected

6.1.0 before 6.1.0.38
affected

6.1.1 before 6.1.1.42
affected

6.2.0 before 6.2.0.61
affected

6.3.0 before 6.3.0.69
affected

6.4.0 before 6.4.0.96
affected

6.5.0 before 6.5.0.102
affected

6.6.0 before 6.6.0.198
affected

Default status
unaffected

Any version before 2.0.0
unknown

2.0.0 before 2.0.0.28
affected

2.1.0 before 2.1.0.38
affected

2.2.0 before 2.2.0.57
affected

2.5.0 before 2.5.0.83
affected

2.6.0 before 2.6.0.143
affected

3.0.0 before 3.0.0.162
affected

3.1.0 before 3.1.0.293
affected

3.2.0 before 3.2.0.384
affected

3.2.1 before 3.2.1.16
affected

4.0.0 before 4.0.0.305
affected

4.1.0 before 4.1.0.166
affected

4.2.0 before 4.2.0.100
affected

4.3.0 before 4.3.0.16
affected

Default status
unknown

4.9.0 before 4.9.0.10
affected

5.0.0 before 5.0.0.28
affected

Default status
unknown

2.2.0 before 2.2.0.27
affected

Default status
unaffected

Any version before 1.0.0
unknown

1.0.0 before 1.0.0.49
affected

Default status
unaffected

Any version before 1.3.0
unknown

1.3.0 before 1.3.0.132
affected

1.4.0 before 1.4.0.135
affected

1.5.0 before 1.5.0.137
affected

2.0.0 before 2.0.0.342
affected

Default status
unknown

4.4.10 before 4.4.10.3
affected

4.6.1 before 4.6.1.4
affected

4.6.6 before 4.6.6.9
affected

4.6.10 before 4.6.10.4
affected

4.6.16 before 4.6.16.2
affected

4.6.19 before 4.6.19.10
affected

4.6.64 before 4.6.64.2
affected

4.6.67 before 4.6.67.15
affected

4.6.89 before 4.6.89.12
affected

4.6.105 before 4.6.105.59
affected

4.6.150 before 4.6.150.11
affected

4.7.20 before 4.7.20.5
affected

4.7.30 before 4.7.30.42
affected

4.7.35 before 4.7.35.5
affected

4.7.61 before 4.7.61.56
affected

4.7.99 before 4.7.99.299
affected

4.7.131 before 4.7.131.15
affected

4.7.175 before 4.7.175.18
affected

4.7.188 before 4.7.188.5
affected

4.7.204 before 4.7.204.5
affected

4.7.216
unaffected

Credits

Anonymous working with Trend Micro Zero Day Initiative reporter

References

security.docs.wso2.com/...ty-advisories/2025/WSO2-2024-3566/ vendor-advisory

cve.org (CVE-2024-7074)

nvd.nist.gov (CVE-2024-7074)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2024-7074

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.