Security Advisory WSO2-2024-3569/CVE-2024-7075

Published: 2025-06-19

Version: 1.0.0

Severity: Medium

CVSS Score: 4.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVE IDs: CVE-2024-7075

AFFECTED PRODUCTS

  • WSO2 API Manager: 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0
  • WSO2 Enterprise Integrator: 6.6.0
  • WSO2 Identity Server: 5.11.0, 6.0.0, 6.1.0, 7.0.0

OVERVIEW

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified on Management Console.

DESCRIPTION

Due to the lack of output encoding in the management console's user search function, malicious actors may exploit this vulnerability to perform a reflected cross-site scripting (XSS) attack.

IMPACT

By leveraging the XSS attack, a malicious actor can make the browser get redirected to a malicious website, make changes in the UI of the web page, retrieve information from the browser or harm otherwise. However, since all the session related sensitive cookies are set with httpOnly flag and protected, session hijacking or similar attacks would not be possible.

SOLUTION

Community Users (Open Source)

Apply the relevant fixes to your product using the public fix(es) provided below.

If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).

Support Subscription Holders

Update your product to the specified update level or a higher update level to apply the fix.

Info

WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.

Product Version U2 Update Level
WSO2 API Manager 3.2.0 388
WSO2 API Manager 3.2.1 31
WSO2 API Manager 4.0.0 325
WSO2 API Manager 4.1.0 186
WSO2 API Manager 4.2.0 125
WSO2 API Manager 4.3.0 36
WSO2 API Manager 4.4.0 2
WSO2 Enterprise Integrator 6.6.0 212
WSO2 Identity Server 5.11.0 364
WSO2 Identity Server 6.0.0 208
WSO2 Identity Server 6.1.0 187
WSO2 Identity Server 7.0.0 60

CREDITS

WSO2 thanks, CyberMavi for responsibly reporting the identified issue and working with us as we addressed it.