CVE-2024-8008 | THREATINT

Description

A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.

PUBLISHED Reserved 2024-08-20 | Published 2025-06-02 | Updated 2025-10-21 | Assigner WSO2

MEDIUM: 5.2CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status

unaffected

Any version before 6.6.0

unknown

6.6.0 (custom) before 6.6.0.211

affected

Default status

unaffected

Any version before 3.1.0

unknown

3.1.0 (custom) before 3.1.0.305

affected

3.2.0 (custom) before 3.2.0.396

affected

3.2.1 (custom) before 3.2.1.28

affected

4.0.0 (custom) before 4.0.0.313

affected

4.1.0 (custom) before 4.1.0.182

affected

4.2.0 (custom) before 4.2.0.121

affected

4.3.0 (custom) before 4.3.0.32

affected

4.4.0 (custom) before 4.4.0.1

affected

4.5.0 (custom) before 4.5.0.16

affected

Default status

unaffected

Any version before 5.10.0

unknown

5.10.0 (custom) before 5.10.0.321

affected

Default status

unaffected

Any version before 5.10.0

unknown

5.10.0 (custom) before 5.10.0.328

affected

5.11.0 (custom) before 5.11.0.374

affected

6.0.0 (custom) before 6.0.0.216

affected

6.1.0 (custom) before 6.1.0.201

affected

7.0.0 (custom) before 7.0.0.69

affected

Default status

unaffected

Any version before 2.0.0

unknown

2.0.0 (custom) before 2.0.0.374

affected

Default status

unaffected

Any version before 2.0.0

unknown

2.0.0 (custom) before 2.0.0.354

affected

Default status

unaffected

4.5.0 (custom) before 4.5.0.16

affected

Default status

unaffected

4.5.0 (custom) before 4.5.0.17

affected

Default status

unaffected

4.5.0 (custom) before 4.5.0.16

affected

Default status

unknown

5.14.127 (custom) before 5.14.127.9

affected

5.17.5 (custom) before 5.17.5.289

affected

5.17.118 (custom) before 5.17.118.10

affected

5.18.187 (custom) before 5.18.187.276

affected

5.18.248 (custom) before 5.18.248.22

affected

5.23.8 (custom) before 5.23.8.193

affected

5.24.8 (custom) before 5.24.8.11

affected

5.25.92 (custom) before 5.25.92.104

affected

5.25.705 (custom) before 5.25.705.10

affected

5.25.713 (custom) before 5.25.713.1

affected

5.25.724 (custom) before 5.25.724.1

affected

7.0.78 (custom) before 7.0.78.46

affected

7.5.12 (custom)

unaffected

References

security.docs.wso2.com/...ty-advisories/2025/WSO2-2024-3178/ vendor-advisory

cve.org (CVE-2024-8008)

nvd.nist.gov (CVE-2024-8008)

Download JSON