Home

Description

An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users. A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.

PUBLISHED Reserved 2025-05-15 | Published 2025-09-23 | Updated 2025-09-23 | Assigner WSO2




MEDIUM: 4.8CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status
unaffected

Any version before 3.2.0
unknown

3.2.0 (custom) before 3.2.0.428
affected

3.2.1 (custom) before 3.2.1.48
affected

4.1.0 (custom) before 4.1.0.209
affected

4.2.0 (custom) before 4.2.0.145
affected

4.3.0 (custom) before 4.3.0.60
affected

4.4.0 (custom) before 4.4.0.23
affected

4.5.0 (custom) before 4.5.0.7
affected

Default status
unaffected

4.5.0 (custom) before 4.5.0.8
affected

Default status
unaffected

4.5.0 (custom) before 4.5.0.7
affected

Default status
unaffected

4.5.0 (custom) before 4.5.0.7
affected

Default status
unknown

6.7.206 (custom) before 6.7.206.559
affected

6.7.210 (custom) before 6.7.210.48
affected

9.20.74 (custom) before 9.20.74.365
affected

9.28.116 (custom) before 9.28.116.321
affected

9.29.120 (custom) before 9.29.120.163
affected

9.30.67 (custom) before 9.30.67.80
affected

9.31.86 (custom) before 9.31.86.30
affected

9.31.117 (custom)
unaffected

Credits

Phạm Hồ Anh Dũng reporter

References

security.docs.wso2.com/...ty-advisories/2025/WSO2-2025-4104/ vendor-advisory

cve.org (CVE-2025-4760)

nvd.nist.gov (CVE-2025-4760)

Download JSON