

Security Advisory WSO2-2024-3281

Published: 2026-05-03

Version: 1.0.0

Severity: Not Applicable

CVSS Score: Not Applicable

---

AFFECTED PRODUCTS

• WSO2 API Manager: 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0
• WSO2 Enterprise Integrator: 6.6.0
• WSO2 Identity Server as Key Manager: 5.10.0
• WSO2 Identity Server: 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0
• WSO2 Open Banking AM: 2.0.0
• WSO2 Open Banking IAM: 2.0.0

OVERVIEW

Potential to Self Cross Site Scripting (Self-XSS)

DESCRIPTION

Due to the lack of sanitization user inputs can be directly passed into the Document Object Model (DOM) to render arbitrary HTML/JavaScript code on the management console. However a malicious actor cannot exploit this issue to compromise any victim as DOM variable values reset after the browser tab is refreshed.it is generally called it as Self-XSS.

IMPACT

There is no specific impact on Confidentiality Integrity or Availability caused by the identified issue. Nevertheless as a best practice we are delivering the fix to address it as a security improvement.

SOLUTION

Community Users (Open Source)

Migrate to the latest unaffected version of the respective WSO2 product(s).

Support Subscription Holders

Update your product to the specified update level, or to a higher update level, to mitigate the identified vulnerability.

Info

WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.

Product Name	Product Version	Update Level
WSO2 API Manager	4.2.0	77
WSO2 API Manager	4.1.0	144
WSO2 API Manager	4.0.0	281
WSO2 API Manager	3.2.1	3
WSO2 API Manager	3.2.0	358
WSO2 API Manager	3.1.0	270
WSO2 Enterprise Integrator	6.6.0	229
WSO2 Identity Server	7.0.0	133
WSO2 Identity Server	6.1.0	256
WSO2 Identity Server	6.0.0	255
WSO2 Identity Server	5.11.0	428
WSO2 Identity Server	5.10.0	288
WSO2 Identity Server as Key Manager	5.10.0	286
WSO2 Open Banking AM	2.0.0	317
WSO2 Open Banking IAM	2.0.0	338

CREDITS

WSO2 thanks, Suraj Theekshana for responsibly reporting the identified issue and working with us as we addressed it.