📦 Api Manager

A missing authentication enforcement vulnerability in WSO2 products allows unauthenticated access to System REST APIs and SOAP services when mutual TLS (mTLS) is enabled in certain default configurati...

This vulnerability allows unauthenticated attackers to generate administrative access tokens in WSO2 API Manager by exploiting missing authentication/authorization checks in the Dynamic Client Registr...

This critical vulnerability in WSO2 products allows attackers to bypass authentication and authorization checks for certain REST APIs, enabling unauthenticated administrative access. Attackers could p...

This vulnerability allows attackers to reset any user's password via a flawed SOAP admin service in WSO2 products, leading to complete account takeover including privileged accounts. It affects WSO2 p...

This CVE describes an XML External Entity (XXE) vulnerability in multiple WSO2 products due to improper XML parser configuration. It allows remote unauthenticated attackers to read sensitive server fi...

This CVE describes an XML External Entity (XXE) vulnerability in WSO2 API Manager and Identity Server management consoles. Attackers can exploit it via crafted GET requests to read sensitive files fro...

CVE-2022-29464 is a critical unrestricted file upload vulnerability in multiple WSO2 products that allows attackers to upload malicious files to web-accessible directories via directory traversal. Thi...

This vulnerability allows a malicious actor to take over local user accounts when federated authentication with Silent Just-In-Time Provisioning is enabled. An attacker can associate a targeted local ...

This CSRF vulnerability in WSO2 products allows attackers to trick authenticated users into performing unintended administrative actions by clicking malicious links. It affects WSO2 products with expo...

This CVE describes an arbitrary code execution vulnerability in WSO2 integration products where authenticated users with elevated privileges (administrators in WSO2 Micro/Enterprise Integrator, admini...

An arbitrary file upload vulnerability in WSO2 products allows authenticated administrators to upload malicious files to user-controlled locations via SOAP admin services. This can lead to remote code...

This vulnerability in WSO2 products allows attackers to impersonate legitimate users through JIT provisioning flaws. Organizations using WSO2 products with specific federated authentication configurat...

An XML External Entity (XXE) vulnerability in multiple WSO2 products allows attackers to read sensitive server files or cause denial-of-service. The vulnerability affects unauthenticated remote attack...

An arbitrary file upload vulnerability in WSO2 products allows authenticated admin users to upload malicious files to server locations they control, potentially leading to remote code execution. This ...

An authentication bypass vulnerability in WSO2 Management Console allows attackers with console access to manipulate request URIs and access restricted resources, leading to partial information disclo...

This vulnerability allows attackers to perform SSRF attacks and execute reflected XSS in WSO2 products through the deprecated Try-It feature. Only administrative users are affected, as exploitation re...

This content spoofing vulnerability in WSO2 products allows attackers to inject arbitrary content into error messages displayed in the browser UI. By manipulating URL parameters, malicious actors can ...

This CVE describes an authenticated remote code execution vulnerability in WSO2 products where administrators can deploy malicious Java code through Siddhi execution plans. The vulnerability allows au...

This CVE describes an information disclosure vulnerability in WSO2 products where authenticated users can access sensitive business data from other mediation contexts due to improper state isolation i...

This CVE describes an authorization bypass vulnerability in WSO2 products that allows authenticated users with management console access to retrieve versioned registry files without proper permissions...

A reflected XSS vulnerability in WSO2 products allows attackers to inject malicious JavaScript via JDBC user store connection validation error messages. This affects users of vulnerable WSO2 products,...

An open redirection vulnerability in WSO2 products allows attackers to craft malicious authentication links that redirect users to attacker-controlled sites. This affects WSO2 products with multi-opti...

This vulnerability allows attackers to create unauthorized user accounts in WSO2 products regardless of self-registration settings. It affects WSO2 products with SOAP admin service enabled. Attackers ...

A reflected cross-site scripting (XSS) vulnerability in WSO2 authentication endpoints allows attackers to inject malicious JavaScript into the authentication flow. This affects users of multiple WSO2 ...

This vulnerability allows attackers to bypass authorization in WSO2 products by using refresh tokens instead of access tokens to access protected APIs. Attackers who obtain an admin user's refresh tok...