A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient input validation in the Rich Text Editor within the registry section. To exploit this vulnerability, a malicious actor must have a valid user account with administrative access to the Management Console. If successful, the actor could inject persistent JavaScript payloads, enabling the theft of user data or execution of unauthorized actions on behalf of other users. While this issue enables persistent client-side script execution, session-related cookies remain protected with the httpOnly flag, preventing session hijacking.
AI analysis not yet available
Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.
No Fix Known
No patch has been released yet. Apply workarounds or mitigations where available.
| Vendor | Product | Versions | Fixed In |
|---|---|---|---|
| wso2 | api_manager | - | - |
| wso2 | api_manager | - |
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
13
Affected Products
1
References
wso2 / api_manager
| wso2 | api_manager | - | - |
| wso2 | api_manager | - | - |
| wso2 | api_manager | - | - |
| wso2 | api_manager | - | - |
| wso2 | enterprise_integrator | - | - |
| wso2 | identity_server | - | - |
| wso2 | identity_server | - | - |
| wso2 | identity_server | - | - |
| wso2 | identity_server | - | - |
| wso2 | identity_server | - | - |
| wso2 | identity_server_as_key_manager | - | - |
CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Exploitability
Impact