WSO2 漏洞與 CVE 列表(123)

產品(CPE): — CVE 數: 123

WSO2 漏洞概覽

彙總 WSO2 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。

常見弱點模式包括 跨站腳本、XXE、SSRF與CSRF,在 軟體部署與生產負載 使用場景中可能帶來 工作階段劫持、異常行為與檔案覆寫 等風險。

相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。

漏洞分布趨勢(近 24 個月)

顯示 120123 CVE 數
«« 第一頁 « 上一頁 第 1 / 7 頁 下一頁 »
CVE 摘要 來源 最高 CVSS EPSS % 公開時間 更新時間
CVE-2026-4249 The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without sufficient validation of their structure and content. This allows an unauthenticated remote attacker to inject malicious JSON data that can lead to a persistent denial of service condition. Successful exploitation of this vulnerability can disrupt the API Gateway, preventing legitimate API traffic from being processed and impacting complete service availability. The denial of service is ed10eef1-636d-4fbe-9993-6890dfa878f8 8.6 0.34% 2026-07-06 2026-07-09
CVE-2025-8591 The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application. By leveraging this weakness, an attacker can cause the user's browser to redirect to a malicious website, modify the UI of the webpage, or retrieve information from the browser. However, the impact is mitigated by the use of httpOnly flags on sessio ed10eef1-636d-4fbe-9993-6890dfa878f8 6.1 0.16% 2026-07-06 2026-07-09
CVE-2024-1248 The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user. Exploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker's knowledge of a local user's username. When the ed10eef1-636d-4fbe-9993-6890dfa878f8 4.8 0.21% 2026-07-04 2026-07-09
CVE-2025-13475 In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants, leading to unintended cross-tenant consent sharing. This vulnerability may result in the exposure of user data across tenants, enabling SaaS applications in different tenants to access and modify informa ed10eef1-636d-4fbe-9993-6890dfa878f8 3.5 0.16% 2026-07-04 2026-07-09
CVE-2026-2053 The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated requests. Successful exploitation allows an unauthenticated attacker to control the destination of server-initiated requests originating from the WSO2 API Manager. This direct control can enable unautho ed10eef1-636d-4fbe-9993-6890dfa878f8 8.3 0.20% 2026-06-26 2026-06-27
CVE-2025-9973 Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within one organization can leverage this functionality to execute authentication logic on other organizations and sub-organizations. This flaw allows bypassing authorization boundaries between organizations, leading to unauthor ed10eef1-636d-4fbe-9993-6890dfa878f8 6.4 0.37% 2026-05-11 2026-06-17
CVE-2025-10470 The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger. ed10eef1-636d-4fbe-9993-6890dfa878f8 8.6 0.32% 2026-05-11 2026-06-17
CVE-2025-8325 The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions. A malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could ed10eef1-636d-4fbe-9993-6890dfa878f8 6.3 0.17% 2026-05-11 2026-06-17
CVE-2025-8154 In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses. By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, including the manipulation of browser caching, alteration of security-related headers, and the injection of sensitive information such as cookie va ed10eef1-636d-4fbe-9993-6890dfa878f8 5.3 0.19% 2026-05-11 2026-06-17
CVE-2025-10908 Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock ed10eef1-636d-4fbe-9993-6890dfa878f8 7.3 0.23% 2026-05-11 2026-06-17
CVE-2024-0391 The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading ed10eef1-636d-4fbe-9993-6890dfa878f8 5.3 0.18% 2026-05-11 2026-06-17
CVE-2025-10503 The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protectio ed10eef1-636d-4fbe-9993-6890dfa878f8 6.1 0.17% 2026-04-29 2026-06-17
CVE-2025-12624 Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed ed10eef1-636d-4fbe-9993-6890dfa878f8 6.0 0.18% 2026-04-16 2026-06-17
CVE-2025-6024 The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related co ed10eef1-636d-4fbe-9993-6890dfa878f8 6.1 0.23% 2026-04-16 2026-06-17
CVE-2024-8010 The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product. ed10eef1-636d-4fbe-9993-6890dfa878f8 3.5 0.27% 2026-04-16 2026-06-17
CVE-2024-4867 The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hij ed10eef1-636d-4fbe-9993-6890dfa878f8 5.4 0.19% 2026-04-16 2026-06-17
CVE-2024-10242 The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser. Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies ed10eef1-636d-4fbe-9993-6890dfa878f8 6.1 0.24% 2026-04-16 2026-06-17
CVE-2024-2374 The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploite ed10eef1-636d-4fbe-9993-6890dfa878f8 7.5 0.38% 2026-04-16 2026-06-17
CVE-2024-1524 When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted ed10eef1-636d-4fbe-9993-6890dfa878f8 7.7 0.26% 2026-02-24 2026-06-17
CVE-2025-13590 A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload. ed10eef1-636d-4fbe-9993-6890dfa878f8 9.1 0.68% 2026-02-19 2026-06-17
«« 第一頁 « 上一頁 第 1 / 7 頁 下一頁 »
cvelogic Threat Intelligence