Home

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows cookies to be sent with cross-origin top-level navigations using GET requests. A malicious actor can exploit this vulnerability by tricking an authenticated user into visiting a crafted link, leading the browser to issue unintended state-changing requests. Successful exploitation could result in unauthorized operations such as data modification, account changes, or other administrative actions. According to WSO2 Secure Production Guidelines, exposure of Carbon console services to untrusted networks is discouraged, which may reduce the impact in properly secured deployments.

PUBLISHED Reserved 2025-06-25 | Published 2025-11-18 | Updated 2025-11-18 | Assigner WSO2




HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-352 Cross-Site Request Forgery (CSRF)

Product status

Default status
unaffected

Any version before 2.0.0
unknown

2.0.0 (custom) before 2.0.0.398
unaffected

Default status
unaffected

Any version before 2.0.0
unknown

2.0.0 (custom) before 2.0.0.418
unaffected

Default status
unaffected

4.5.0 (custom) before 4.5.0.34
affected

4.6.0 (custom) before 4.6.0.1
affected

Default status
unaffected

4.5.0 (custom) before 4.5.0.34
affected

4.6.0 (custom) before 4.6.0.1
affected

Default status
unaffected

4.5.0 (custom) before 4.5.0.36
affected

4.6.0 (custom) before 4.6.0.1
affected

Default status
unaffected

Any version before 3.1.0
unknown

3.1.0 (custom) before 3.1.0.349
affected

3.2.0 (custom) before 3.2.0.453
affected

3.2.1 (custom) before 3.2.1.73
affected

4.0.0 (custom) before 4.0.0.373
affected

4.1.0 (custom) before 4.1.0.236
affected

4.2.0 (custom) before 4.2.0.176
affected

4.3.0 (custom) before 4.3.0.88
affected

4.4.0 (custom) before 4.4.0.52
affected

4.5.0 (custom) before 4.5.0.35
affected

4.6.0 (custom) before 4.6.0.1
affected

Default status
unaffected

Any version before 5.10.0
unknown

5.10.0 (custom) before 5.10.0.378
affected

5.11.0 (custom) before 5.11.0.425
affected

6.0.0 (custom) before 6.0.0.252
affected

6.1.0 (custom) before 6.1.0.253
affected

7.0.0 (custom) before 7.0.0.130
affected

7.1.0 (custom) before 7.1.0.38
affected

7.2.0 (custom) before 7.2.0.1
affected

Default status
unaffected

Any version before 5.10.0
unknown

5.10.0 (custom) before 5.10.0.369
affected

Default status
unaffected

Any version before 6.6.0
unknown

6.6.0 (custom) before 6.6.0.226
affected

Default status
unknown

4.5.3 (custom) before 4.5.3.50
affected

4.6.0 (custom) before 4.6.0.2253
affected

4.6.1 (custom) before 4.6.1.157
affected

4.6.2 (custom) before 4.6.2.673
affected

4.6.3 (custom) before 4.6.3.41
affected

4.6.4 (custom) before 4.6.4.22
affected

4.7.1 (custom) before 4.7.1.73
affected

4.8.1 (custom) before 4.8.1.43
affected

4.9.0 (custom) before 4.9.0.106
affected

4.9.26 (custom) before 4.9.26.31
affected

4.9.27 (custom) before 4.9.27.16
affected

4.9.28 (custom) before 4.9.28.18
affected

4.9.33 (custom) before 4.9.33.2
affected

4.10.9 (custom) before 4.10.9.75
affected

4.10.42 (custom) before 4.10.42.18
affected

4.10.101 (custom) before 4.10.101.3
affected

4.9.29 (custom)
unaffected

4.10.65 (custom)
unaffected

Credits

Noël MACCARY reporter

References

security.docs.wso2.com/...ty-advisories/2025/WSO2-2025-4117/ vendor-advisory

cve.org (CVE-2025-6670)

nvd.nist.gov (CVE-2025-6670)

Download JSON