Description
An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure. The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.
Product status
Any version before 5.10.0
5.10.0 (custom) before 5.10.0.361
5.11.0 (custom) before 5.11.0.414
6.0.0 (custom) before 6.0.0.245
6.1.0 (custom) before 6.1.0.244
7.0.0 (custom) before 7.0.0.119
7.1.0 (custom) before 7.1.0.25
Any version before 6.6.0
6.6.0 (custom) before 6.6.0.217
4.5.0 (custom) before 4.5.0.10
4.5.0 (custom) before 4.5.0.10
Any version before 3.1.0
3.1.0 (custom) before 3.1.0.334
3.2.0 (custom) before 3.2.0.430
3.2.1 (custom) before 3.2.1.48
4.0.0 (custom) before 4.0.0.346
4.1.0 (custom) before 4.1.0.210
4.2.0 (custom) before 4.2.0.148
4.3.0 (custom) before 4.3.0.61
4.4.0 (custom) before 4.4.0.24
4.5.0 (custom) before 4.5.0.10
4.5.0 (custom) before 4.5.0.11
Any version before 5.10.0
5.10.0 (custom) before 5.10.0.354
Any version before 2.0.0
2.0.0 (custom) before 2.0.0.382
Any version before 2.0.0
2.0.0 (custom) before 2.0.0.403
4.5.3 (custom) before 4.5.3.40
4.6.0 (custom) before 4.6.0.1224
4.6.1 (custom) before 4.6.1.150
4.6.2 (custom) before 4.6.2.664
4.6.3 (custom) before 4.6.3.32
4.6.4 (custom) before 4.6.4.8
4.7.1 (custom) before 4.7.1.69
4.8.1 (custom) before 4.8.1.33
4.9.0 (custom) before 4.9.0.100
4.9.26 (custom) before 4.9.26.20
4.9.27 (custom) before 4.9.27.4
4.9.28 (custom) before 4.9.28.4
4.10.9 (custom) before 4.10.9.68
4.10.42 (custom) before 4.10.42.10
4.9.29 (custom)
4.10.90 (custom)
Credits
Noël Maccary
References
security.docs.wso2.com/...ty-advisories/2025/WSO2-2025-4115/
